b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                    Treasury Inspector General for Tax\n                Administration \xe2\x80\x93 Federal Information Security\n                Management Act Report for Fiscal Year 2012\n\n\n\n                                      September 28, 2012\n\n                              Reference Number: 2012-20-114\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n\n\n\n Phone Number | 202-622-6500\n E-mail Address | TIGTACommunications@tigta.treas.gov\n Website        | http://www.tigta.gov\n\x0c                                                  HIGHLIGHTS\n\n\nTREASURY INSPECTOR GENERAL FOR                        eight program areas met the level of\nTAX ADMINISTRATION \xe2\x80\x93 FEDERAL                          performance specified by the Department of\nINFORMATION SECURITY                                  Homeland Security\xe2\x80\x99s Fiscal Year 2012 Inspector\nMANAGEMENT ACT REPORT FOR                             General FISMA Reporting Metrics:\nFISCAL YEAR 2012                                          \xef\x82\xb7   Continuous monitoring management.\n                                                          \xef\x82\xb7   Incident response and reporting.\nHighlights                                                \xef\x82\xb7   Risk management.\nReport issued on September 28, 2012                       \xef\x82\xb7   Plan of action and milestones.\n\nHighlights of Report Number: 2012-20-114 to               \xef\x82\xb7   Remote access management.\nthe Department of the Treasury, Office of the             \xef\x82\xb7   Contingency planning.\nInspector General, Assistant Inspector General\nfor Audit.                                                \xef\x82\xb7   Contractor systems.\nIMPACT ON TAXPAYERS                                       \xef\x82\xb7   Security capital planning.\nThe IRS collects and maintains a significant          However, TIGTA determined that the following\namount of personal and financial information on       program areas did not meet the level of\neach taxpayer. The IRS also relies extensively        performance specified by the Department of\non computerized systems to support its                Homeland Security\xe2\x80\x99s Fiscal Year 2012 Inspector\nresponsibilities in collecting taxes, processing      General FISMA Reporting Metrics as a result of\ntax returns, and enforcing the Federal tax laws.      specific program attributes that were missing or\nAs custodians of taxpayer information, the IRS        other conditions identified that reduced program\nhas an obligation to protect the confidentiality of   effectiveness:\nthis sensitive information against unauthorized\naccess or loss. Otherwise, taxpayers could be             \xef\x82\xb7   Configuration management.\nexposed to invasion of privacy and financial loss         \xef\x82\xb7   Identity and access management.\nor damage from identity theft or other financial\ncrimes.                                                   \xef\x82\xb7   Security training.\n\nWHY TIGTA DID THE AUDIT                               WHAT TIGTA RECOMMENDED\nThe Federal Information Security Management           TIGTA does not include recommendations as\nAct (FISMA) was enacted to strengthen the             part of its annual FISMA evaluation and reports\nsecurity of information and systems within            only on the level of performance achieved by the\nFederal agencies. As part of this legislation, the    IRS using the guidelines issued by the\nOffices of Inspectors General are required to         Department of Homeland Security for the\nperform an annual independent evaluation of           applicable FISMA evaluation period.\neach Federal agency\xe2\x80\x99s information security\nprograms and practices. This report reflects\nTIGTA\xe2\x80\x99s independent evaluation of the status of\nthe IRS\xe2\x80\x99s information security program for Fiscal\nYear 2012.\nWHAT TIGTA FOUND\nBased on our Fiscal Year 2012 FISMA\nevaluation, TIGTA found that the IRS\xe2\x80\x99s\ninformation security program was generally\ncompliant with the FISMA requirements.\nSpecifically, TIGTA determined that the following\n\x0c                                                   DEPARTMENT OF THE TREASURY\n                                                         WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                                 September 28, 2012\n\n\n MEMORANDUM FOR ASSISTANT INSPECTOR GENERAL FOR AUDIT\n                OFFICE OF THE INSPECTOR GENERAL\n                DEPARTMENT OF THE TREASURY\n\n\n FROM:                           Michael E. McKenney\n                                 Acting Deputy Inspector General for Audit\n\n SUBJECT:                        Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n                                 Information Security Management Act Report for Fiscal Year 2012\n                                 (Audit # 201220001)\n\n This report presents the results of the Treasury Inspector General for Tax Administration\xe2\x80\x99s\n Federal Information Security Management Act1 evaluation for Fiscal Year 2012. The Act\n requires the Offices of Inspectors General to perform an annual independent evaluation of each\n Federal agency\xe2\x80\x99s information security program and practices. This report reflects our\n independent evaluation of the Internal Revenue Service\xe2\x80\x99s (IRS) information security program\n and practices for the period under review.\n The report was forwarded to the Treasury Inspector General for consolidation into a report issued\n to the Department of the Treasury Chief Information Officer. Copies of this report are also being\n sent to the IRS managers affected by the report results.\n Please contact me at (202) 622-6510 if you have questions or Alan R. Duncan, Assistant\n Inspector General for Audit (Security and Information Technology Services), at (202) 622-5894.\n\n\n\n\n 1\n     Title III of the E-Government Act of 2002, Pub. L. No. 107-374, 116 Stat. 2899.\n\x0c                      Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n                   Information Security Management Act Report for Fiscal Year 2012\n\n\n\n\n                                            Table of Contents\n\nBackground .......................................................................................................... Page 1\n\nResults of Review ............................................................................................... Page 2\n          The Internal Revenue Service\xe2\x80\x99s Information Security Program\n          Generally Complies With the Federal Information Security\n          Management Act, but Improvements Are Needed ....................................... Page 2\n\nAppendices\n          Appendix I \xe2\x80\x93 Fiscal Year 2012 Reporting Metrics ....................................... Page 16\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................ Page 30\n          Appendix III \xe2\x80\x93 Report Distribution List ....................................................... Page 31\n          Appendix IV \xe2\x80\x93 Treasury Inspector General for Tax Administration\n          Information Technology Security-Related Reports Issued During the\n          Fiscal Year 2012 Evaluation Period ............................................................. Page 32\n          Appendix V \xe2\x80\x93 Glossary of Terms ................................................................. Page 33\n\x0c             Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n          Information Security Management Act Report for Fiscal Year 2012\n\n\n\n\n                            Abbreviations\n\nAP                   Administrative Priority\nBase                 Baseline Question\nCIO                  Chief Information Officer\nCISO                 Chief Information Security Officer\nCM                   Continuous Monitoring\nCMWG                 Continuous Monitoring Working Group\nDAA                  Designated Accrediting Authority\nDHS                  Department of Homeland Security\nDMZ                  Demilitarized Zone\nECMS                 Enterprise Configuration Management System\nFCD1                 Federal Continuity Directive 1\nFDCC                 Federal Desktop Core Configuration\nFISMA                Federal Information Security Management Act\nFY                   Fiscal Year\nGAO                  Government Accountability Office\nGSS                  General Support System\nHSPD-12              Homeland Security Presidential Directive-12\nIP                   Internet Protocol\nIRS                  Internal Revenue Service\nIT                   Information Technology\nKFM                  Key FISMA Metric\nMOU                  Memorandum of Understanding\n\x0c             Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n          Information Security Management Act Report for Fiscal Year 2012\n\n\n\nNIST                 National Institute of Standards and Technology\nOIG                  Office of the Inspector General\nOMB                  Office of Management and Budget\nPIV                  Personal Identity Verification\nPOA&M                Plan of Action and Milestones\nSCAP                 Security Content Automation Protocol\nSP                   Special Publication\nTIGTA                Treasury Inspector General for Tax Administration\nUS-CERT              United States Computer Emergency Response Team\nUSG                  U.S. Government\nUSGCB                United States Government Configuration Baseline\n\x0c                   Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n                Information Security Management Act Report for Fiscal Year 2012\n\n\n\n\n                                           Background\n\nThe Internal Revenue Service (IRS) collects and maintains a significant amount of personal and\nfinancial information on each taxpayer. The IRS also relies extensively on computerized\nsystems to support its responsibilities in collecting taxes, processing tax returns, and enforcing\nFederal tax laws. As custodians of taxpayer information, the IRS has an obligation to protect the\nconfidentiality of this sensitive information against unauthorized access or loss. Otherwise,\ntaxpayers could be exposed to invasion of privacy and financial loss or damage from identity\ntheft or other financial crimes.\nThe Federal Information Security Management Act (FISMA) of 20021 was enacted to strengthen\nthe security of information and systems within Federal agencies. Under the FISMA, agency\nheads are responsible for providing information security protections commensurate with the risk\nand magnitude of harm resulting from the unauthorized access, use, disclosure, disruption,\nmodification, or destruction of information and information systems. Agency heads are also\nresponsible for complying with the requirements of the FISMA, related Office of Management\nand Budget (OMB) policies, and National Institute of Standards and Technology (NIST)\nprocedures, standards, and guidelines.\nAs part of this legislation, each Federal Government agency is required to report annually to the\nOMB on the adequacy and effectiveness of its information security program and practices and\ncompliance with the FISMA. In addition, the FISMA requires the agencies to have an annual\nindependent evaluation of their information security programs and practices performed by the\nagency Inspector General or an independent external auditor as determined by the Inspector\nGeneral.2 The OMB uses the information from the agencies and independent evaluations in its\nFISMA oversight capacity to assess agency-specific and Federal Government-wide security\nperformance, develop its annual security report to Congress, and assist in improving and\nmaintaining adequate agency security performance.\nWe based our evaluation of the IRS on the Department of Homeland Security\xe2\x80\x99s (DHS) Fiscal\nYear (FY) 2012 Inspector General FISMA Reporting Metrics issued on March 6, 2012. These\nreporting metrics specified the security program areas for the Inspectors General to evaluate and\nlisted specific attributes that each security program area should include, as shown in Appendix I.\nMajor contributors to this report are listed in Appendix II.\n\n\n\n\n1\n Title III of the E-Government Act of 2002, Pub. L. No. 107-374, 116 Stat. 2899.\n2\n The FISMA evaluation period for the Department of the Treasury is July 1, 2011, through June 30, 2012. All\nsubsequent references to 2012 refer to the FISMA evaluation period.\n                                                                                                        Page 1\n\x0c                 Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n              Information Security Management Act Report for Fiscal Year 2012\n\n\n\n\n                                Results of Review\n\nThe Internal Revenue Service\xe2\x80\x99s Information Security Program\nGenerally Complies With the Federal Information Security\nManagement Act, but Improvements Are Needed\nThe DHS FY 2012 Inspector General FISMA Reporting Metrics specified 11 information\nsecurity program areas and a total of 96 attributes within the 11 areas for the Inspectors General\nto evaluate and determine whether agencies had established and maintained an information\nsecurity program that was generally consistent with the NIST and OMB\xe2\x80\x99s FISMA requirements.\nThe 11 information security program areas are as follows:\n   \xef\x82\xb7   Continuous monitoring management.\n   \xef\x82\xb7   Configuration management.\n   \xef\x82\xb7   Identity and access management.\n   \xef\x82\xb7   Incident response and reporting.\n   \xef\x82\xb7   Risk management.\n   \xef\x82\xb7   Security training.\n   \xef\x82\xb7   Plan of action and milestones.\n   \xef\x82\xb7   Remote access management.\n   \xef\x82\xb7   Contingency planning.\n   \xef\x82\xb7   Contractor systems.\n   \xef\x82\xb7   Security capital planning.\nTo complete our FISMA evaluation, we reviewed a representative sample of 10 major IRS\ninformation systems. For each system in the sample, we assessed the quality of the security\nassessment and authorization process, the annual testing of controls for continuous monitoring,\nthe testing of information technology contingency plans, and the quality of the plan of action and\nmilestones process. In addition, we evaluated the IRS\xe2\x80\x99s processes over configuration\nmanagement, identity and access management, incident response and reporting, security training,\nremote access management, contractor systems, and security capital planning. During the\nFY 2012 FISMA evaluation period, we also completed nine audits, as shown in Appendix IV,\nwhich evaluated various aspects of information security at the IRS. We considered the results of\nthese audits in our evaluation, as well as results from ongoing audits for which draft reports were\nissued to the IRS by August 10, 2012.\n\n                                                                                            Page 2\n\x0c                 Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n              Information Security Management Act Report for Fiscal Year 2012\n\n\n\nBased on our FY 2012 FISMA evaluation, we determined that the IRS\xe2\x80\x99s information security\nprogram was compliant with the FISMA requirements and met the level of performance for eight\nof the 11 program areas as specified by the DHS\xe2\x80\x99s FY 2012 Inspector General FISMA Reporting\nMetrics. However, we also noted that improvements were needed in the remaining three\nprogram areas. We determined that these three program areas did not meet the level of\nperformance specified by the DHS\xe2\x80\x99s FY 2012 Inspector General FISMA Reporting Metrics as a\nresult of specific program attributes that were missing or other conditions that we identified\nwhich reduced program effectiveness. The three areas needing improvement are as follows:\n   \xef\x82\xb7   Configuration management.\n   \xef\x82\xb7   Identity and access management.\n   \xef\x82\xb7   Security training.\n\nConfiguration Management\nConfiguration management comprises a collection of activities focused on establishing and\nmaintaining the integrity of products and systems through control of the processes for\ninitializing, changing, and monitoring the configurations of those products and systems.\nSecurity-focused configuration management is the management and control of secure\nconfigurations for an information system to enable security and facilitate the management of\nrisk. Effective configuration management of information systems requires the integration of the\nmanagement of secure configurations into the organizational configuration management process\nor processes.\nIn order to secure both software and hardware, agencies must develop and implement standard\nconfiguration baselines that prevent or minimize exploitable system vulnerabilities. The OMB\nrequires all Windows 7, XP, and Vista workstations to conform to the U.S. Government\nConfiguration Baseline. Furthermore, the NIST has created a repository of secure baselines for a\nwide variety of operating systems and devices. Agencies must also develop and implement\nsufficient patch management processes, which is a component of configuration management.\nAny significant delays in patching software with critical vulnerabilities provide ample\nopportunity for persistent attackers to gain control over the vulnerable computers and get access\nto the sensitive data they may contain.\nThe IRS has not fully implemented the following seven configuration management attributes\nspecified by the DHS metrics:\n    2.1.3. Assessing for compliance with baseline configurations.\n    2.1.5. For Windows-based components, Federal Desktop Core Configuration (FDCC)/U.S.\n           Government Configuration Baseline (USGCB) secure configuration settings fully\n           implemented and any deviations from FDCC/USGCB baseline settings fully\n           documented.\n\n                                                                                          Page 3\n\x0c                    Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n                 Information Security Management Act Report for Fiscal Year 2012\n\n\n\n     2.1.6. Documented proposed or actual changes to hardware and software configurations.\n     2.1.7. Process for timely and secure installation of software patches.\n     2.1.8. Software assessing (scanning) capabilities are fully implemented.\n     2.1.9. Configuration-related vulnerabilities, including scan findings, have been remediated\n            in a timely manner, as specified in organization policy or standards.\n    2.1.10. Patch management process is fully developed, as specified in organization policy or\n            standards.\n2.1.3. Assessing for compliance with baseline configurations.\nThe IRS is still in the process of implementing tools compliant with the Security Content\nAutomation Protocol (SCAP)3 to perform security configuration assessments for Windows and\nUNIX systems. Agencies are required to use SCAP-validated tools, as specified by the NIST, to\ncontinuously monitor the security configurations of their information technology assets as part of\ncompliance with the FISMA.\nIn April 2008, the IRS formally kicked off an initiative to implement the Security Compliance\nPosture Monitoring and Reporting tool, an enterprise tool that would utilize the NIST-defined\nprotocol. When in production, the Security Compliance Posture Monitoring and Reporting tool\nwould provide the IRS with the ability to monitor, measure, and manage FISMA security\ncompliance of its Windows and UNIX servers enterprise-wide. Also, it would allow the IRS to\nretire the Windows and UNIX policy checker programs, which are not SCAP-compliant.\nHowever, the IRS has not yet rolled out the Security Compliance Posture Monitoring and\nReporting tool.\nAlso, in September 2011, the Treasury Inspector General for Tax Administration (TIGTA)\nreported4 that automated security configuration scans of IRS mainframe databases were not\nconducted. The Internal Revenue Manual required monthly automated security configuration\nscans of all operating and database systems. However, the mainframe policy checker does not\ntest configuration compliance for databases that reside on mainframes. The IRS agreed to\nimplement automated security configuration scanning on mainframe databases by\nMarch 1, 2013.\n\n\n3\n  The SCAP is a suite of specifications that standardize the format and nomenclature by which security software\nproducts communicate software flaw and security configuration information. SCAP is designed to organize,\nexpress, and measure security-related information in standardized ways, as well as related reference data, such as\nidentifiers for post-compilation software flaws and security configuration issues. SCAP can be used to maintain the\nsecurity of enterprise systems, such as automatically verifying the installation of patches, checking system security\nconfiguration settings, and examining systems for signs of compromise.\n4\n  TIGTA Ref. No. 2011-20-099, The Mainframe Databases Reviewed Met Security Requirements; However,\nAutomated Security Scans Were Not Performed (Sept. 2011).\n                                                                                                             Page 4\n\x0c                 Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n              Information Security Management Act Report for Fiscal Year 2012\n\n\n\nThe IRS has deployed a SCAP-compliant tool (called the SCAP Compliance Checker) for\nmonitoring Federal Desktop Core Configuration compliance on workstations. However, since\nFebruary 2010, the IRS has been in the process of implementing additional tools for monitoring\nworkstation compliance, called the Treasury Enhanced Security Initiative. The IRS believes the\nTreasury Enhanced Security Initiative is needed because of the features it has that the SCAP\nCompliance Checker does not have, including its ability to:\n   \xef\x82\xb7   Discover all assets on the IRS network.\n   \xef\x82\xb7   Identify rogue computers.\n   \xef\x82\xb7   Monitor administrative access privileges.\n   \xef\x82\xb7   Identify noncompliant security configurations for specific workstations.\n   \xef\x82\xb7   Prioritize highest risk systems for timely remediation.\n   \xef\x82\xb7   Automate remediation of some misconfigurations.\nHowever, the Treasury Enhanced Security Initiative has experienced several delays due to the\nneed for infrastructure upgrades and additional server resources, the IRS placing higher priorities\non development of other systems, and filing season moratoriums.\n2.1.5. For Windows-based components, FDCC/USGCB secure configuration settings fully\nimplemented and any deviations from FDCC/USGCB baseline settings fully documented.\nThe IRS has not yet fully documented Windows 7 FDCC/USGCB deviations. The User and\nNetwork Services organization indicated that it is currently working with stakeholders to identify\nand document all Windows 7 settings that do not comply with the Internal Revenue Manual or\nUSGCB.\n2.1.6. Documented proposed or actual changes to hardware and software configurations.\nThe IRS had not yet fully implemented configuration and change management controls to ensure\nthat proposed or actual changes to hardware and software configurations are documented.\nDuring FY 2012, the Enterprise Services organization was in the process of implementing the\nEnterprise Configuration Management System (ECMS) to provide an enterprise solution for\nconfiguration and change management. The goal of the ECMS is to provide the IRS the\ncapability to automate the configuration management process, enhance and improve the current\nchange management process, provide a platform for the consolidation of change boards, provide\na detailed change analysis capability, and support the adoption of robust configuration\nmanagement and validation.\nThe ECMS briefing from the Enterprise Services Configuration and Change Management office\ncites a number of issues with IRS configuration and change management processes, including:\n\n\n                                                                                            Page 5\n\x0c                   Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n                Information Security Management Act Report for Fiscal Year 2012\n\n\n\n    \xef\x82\xb7   A number of organizational change management processes are in place, without a clear\n        understanding on how they link back to the \xe2\x80\x9cumbrella\xe2\x80\x9d configuration and change\n        management standards.\n            o Duplicative steps exist in many of the change management processes.\n            o Inconsistent integration/coordination exists across processes.\n    \xef\x82\xb7   There is limited enforcement of configuration and change management standards to date.\n    \xef\x82\xb7   Multiple configuration control boards are in place, without a clear definition of what the\n        hand-offs are between them.\n    \xef\x82\xb7   Configuration items do not always have an owner.\n    \xef\x82\xb7   No clear process hand-offs are defined between configuration management, change\n        management, release management, and other service management processes.\n    \xef\x82\xb7   Organizations do not always have a clear understanding of Configuration and Change\n        Management office staff roles.\n    \xef\x82\xb7   Many organizations do not have a clear understanding of what configuration and change\n        management are and what steps they should be following to perform the related\n        processes.\n    \xef\x82\xb7   Configuration and change management standards applied to organizationally owned tools\n        are sometimes \xe2\x80\x9clost in translation.\xe2\x80\x9d\n    \xef\x82\xb7   The level of effort required across varied tools and procedures involved in performing\n        configuration management activities is not clear, making it difficult to assign resources.\xc2\xa0\nIn July 2012, the Enterprise Services organization deployed the initial release of the ECMS. The\nECMS includes a configuration item discovery tool, called the Discovery and Dependency\nMapping Advanced tool, for the purpose of establishing a central repository of configuration\nitems for which changes to configuration settings will need to be managed. The Enterprise\nServices organization plans for the full implementation of the ECMS to occur in FY 2014.\n2.1.7. Process for timely and secure installation of software patches.\nDuring the FY 2012 FISMA evaluation period, the TIGTA concluded fieldwork on an audit to\nevaluate the IRS\xe2\x80\x99s enterprise-wide patch management process.5 The TIGTA identified that\ncritical patches continue to be missing or are installed in an untimely manner. The IRS\xe2\x80\x99s own\npatch monitoring reports continue to report unpatched or untimely patched computers. For\nexample, an IRS-wide patch monitoring report for Windows servers, called the Associate Chief\n\n5\n TIGTA, Ref. No. 2012-20-012, An Enterprise Approach Is Needed to Address the Security Risk of Unpatched\nComputers (Sep. 2012).\n                                                                                                     Page 6\n\x0c                   Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n                Information Security Management Act Report for Fiscal Year 2012\n\n\n\nInformation Officer Monthly Critical Patch Report, showed the IRS\xe2\x80\x99s overall patch compliance\nrate for critical patches averaged 88 percent in March 2012, ranging from a low of 63 percent to\na high of 88 percent for the six-month period of October 2011 to March 2012. The March 2012\nreport showed that 7,329 potential vulnerabilities remain on IRS servers because 23 critical\npatches had not been installed on servers that need them; some of these patches had been\nreleased as far back as April 2011. These vulnerabilities could potentially be exploited to gain\nunauthorized access to information, disrupt operations, or launch attacks against other systems.\nIn addition, the IRS informed us that patching is still manual for the majority of its UNIX\noperating systems and is not in accordance with patch frequencies required by the Internal\nRevenue Manual. The Enterprise Operations organization is currently testing a process for\nautomating patching on its UNIX servers.\nIRS patch management policy did not provide clear expectations for when patches must be\ninstalled. In addition, the IRS has no mechanism to enforce timely patching or to hold system\nowners accountable for ensuring that their systems are timely patched or that they formally\naccept the risk of not patching systems timely. By not installing security patches in a timely\nfashion, the IRS increases the risk that known vulnerabilities in its systems may be exploited.\nIn March 2012, the Government Accountability Office (GAO) also reported6 that the IRS did not\nalways apply critical patches or ensure versions of its operating system were still supported by\nthe vendor.\n2.1.8. Software assessing (scanning) capabilities are fully implemented.\nThe IRS\xe2\x80\x99s software assessing (scanning) capabilities are not yet fully implemented. The IRS\nOrganizational Common Controls Security Plan, Version 1, dated June 28, 2012, stated that the\nrequired vulnerability scanning control was not in place at the IRS organizational level and that\nthe IRS Cybersecurity organization is still in the process of coordinating with information system\nowners to implement vulnerability scanning enterprise-wide. It also stated that, for vulnerability\nscans the IRS did conduct, analysis of the scans were not being performed by the system owners.\nIn addition, it stated that the IRS has not yet deployed an automated mechanism to detect the\npresence of unauthorized software on IRS information systems.\nIn June 2012, the TIGTA reported7 that the IRS had not implemented or enforced\nenterprise-wide procedures for monitoring and remediating weaknesses reported by nCircle\nscans. These scans help to identify what details about the information system are discoverable\nby adversaries and provide an associated risk level/score. During FY 2012, the IRS\nCybersecurity organization was in the process of developing enterprise-wide standard operating\n\n\n6\n  GAO, GAO-12-393, IRS Needs to Further Enhance Internal Control Over Financial Reporting and Taxpayer\nData (Mar. 2012).\n7\n  TIGTA, Ref. No. 2012-20-063, Enterprise-Level Oversight Is Needed to Ensure Adherence to Windows Server\nSecurity Policies (June 2012).\n                                                                                                     Page 7\n\x0c                   Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n                Information Security Management Act Report for Fiscal Year 2012\n\n\n\nprocedures for reviewing and analyzing the results of vulnerability scans and educating system\nowners on how to prioritize and resolve the identified weaknesses.\nIn September 2011, the TIGTA reported8 that four individuals had installed and used personal\nunauthorized wireless devices on their laptops to connect to the IRS network. The TIGTA\nrecommended that the IRS implement automated nationwide network scans for unauthorized\nwireless activity, devices, and software and improve processes to handle incidents of\nnoncompliance with IRS security policy so that when unauthorized wireless activity is identified,\nsubsequent investigations and disciplinary actions are effective. The IRS plans to complete the\ncorrective action by September 28, 2012.\nAdditionally, our review of 10 sample systems\xe2\x80\x99 System Security Plans revealed that vulnerability\nscans were not being conducted in accordance with the IRS\xe2\x80\x99s defined frequency and process for\nthe three General Support System\xe2\x80\x99s (GSS) in our sample.\n2.1.9. Configuration-related vulnerabilities, including scan findings, have been remediated\nin a timely manner, as specified in organization policy or standards.\nIn June 2012, the TIGTA reported9 that monthly scanning results were not consistently being\nused to correct improper settings on Windows servers in a timely manner; rather, security\nvulnerabilities of high, medium, and low risk levels were repeatedly reported on Windows Policy\nChecker reports for two or three consecutive months. During FY 2012, the Cybersecurity\norganization issued standard operating procedures for the monitoring and remediation of\nweaknesses reported by the Windows server configuration scans to all IRS staff administering\nWindows servers. The document stated that the Cybersecurity organization staff will work with\nthe system administrators, application owners, and project offices to maintain a 100-percent\ncompliance level on all Windows servers across all IRS organizations.\n2.1.10. Patch management process is fully developed, as specified in organization policy or\nstandards.\nDuring the FY 2012 FISMA evaluation period, the TIGTA concluded fieldwork on an audit to\nevaluate the IRS\xe2\x80\x99s enterprise-wide patch management process.10 The TIGTA identified that,\nalthough IRS policy requires the IRS to establish an enterprise-level group with responsibility for\npatch management, no enterprise-level group exists. Due to the lack of enterprise-level oversight\nand leadership, the IRS has not yet implemented key elements of its patch management policies\nand procedures that are needed to ensure all IRS systems are patched timely and operating\n\n\n8\n  TIGTA, Ref. No. 2011-20-101, Security Controls Over Wireless Technology Were Generally in Place; However,\nFurther Actions Can Improve Security (Sept. 2011).\n9\n  TIGTA, Ref. No. 2012-20-063, Enterprise-Level Oversight Is Needed to Ensure Adherence to Windows Server\nSecurity Policies (June 2012).\n10\n   TIGTA, Ref. No. 2012-20-012, An Enterprise Approach Is Needed to Address the Security Risk of Unpatched\nComputers (Sep. 2012).\n                                                                                                     Page 8\n\x0c                 Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n              Information Security Management Act Report for Fiscal Year 2012\n\n\n\nsecurely. Specifically, the IRS has not:\n   \xef\x82\xb7   Completed the implementation of an accurate and complete inventory of its information\n       technology assets, which is critical for ensuring that patches are identified and applied\n       timely for all types of operating systems and software used within its environment.\n   \xef\x82\xb7   Implemented patch policy and monitoring processes to ensure patches are applied timely\n       enterprise-wide.\n   \xef\x82\xb7   Implemented controls to ensure that unsupported operating systems are not putting the\n       IRS at risk.\nIRS processes to monitor the installation of required patches need improvement. The IRS\xe2\x80\x99s\ncurrent monitoring processes are not sufficient to ensure that vulnerabilities resulting from\nunpatched systems are successfully and timely remediated. The IRS depends on the various IRS\norganizations that manage their own computers to frequently self-report patching data from their\norganization-level patch monitoring reports. This effort is labor intensive and results in\nincomplete and unverified patch data. For example, in March 2012, the IRS Information\nTechnology organization reported that it had not received percentage data for 14 consecutive\nmonths from non-Information Technology managed Windows workstations needing critical\npatches, which it needed to track patch metrics in its Information Technology Internal\nDashboard. Further, the IRS had not established patch performance metrics in terms of setting\ncompliance rate goals and measuring them on a monthly basis to ensure IRS organizations are\ncomplying with security patch policy.\n2.2. Please provide any additional information on the effectiveness of the organization\xe2\x80\x99s\nconfiguration management program that was not noted in the questions above.\nTo achieve FISMA-compliant configuration management, the IRS is in the process of\nimplementing a number of tools to automate tasks, that when done manually, are extremely\ntime-consuming and error-prone. However, we are concerned the IRS is not ensuring that it is\navoiding tool redundancy and, therefore, excess cost or that it will be making the most efficient\nuse of the data collections.\nTools or initiatives that the IRS already implemented or are in progress to improve its security\nposture include Business DNA (asset discovery), nCircle (vulnerability scanning), Security\nCompliance Posture Monitoring and Reporting (server configuration management), Treasury\nEnhanced Security Initiative (workstation configuration management), Altiris (Windows server\npatching), Guardium (database scanning), Knowledge Incident/Problem Service Asset\nManagement (asset inventory), CiscoWorks (network management), Tivoli (older asset\nmanagement tool), and a central repository for warehousing and integrating the collected data.\nThe Cybersecurity organization has prepared an Information Technology Security Controls\nTools Strategy for planning how all of this data will be organized and combined to provide\nnear-real-time enterprise security intelligence for decision making.\n\n                                                                                            Page 9\n\x0c                    Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n                 Information Security Management Act Report for Fiscal Year 2012\n\n\n\nAs mentioned above, the Enterprise Services organization is also implementing a configuration\nand change management tool, called the ECMS. This solution is comprised of a number of\ncommercial off-the-shelf products that include a configuration item discovery tool (the\nDiscovery and Dependency Mapping Advanced tool), a central repository of configuration items\nand related components, change management analysis, and other tools for monitoring and\nmaintaining configuration compliance. The Enterprise Services organization stated that until the\nECMS is implemented, the IRS will continue to lack the capability to effectively implement\nconfiguration and change management.\nWe believe the IRS should ensure that data collected by its various tools and organizations will\nbe efficiently utilized and that the IRS is not developing duplicative configuration management\nprocesses or products. For example, our discussions with the Cybersecurity and Enterprise\nServices organizations revealed that an approach for integrating the configuration management\ndata collected by both organizations has not yet been formulated.\n\nIdentity and Access Management\nProper identity and access management ensures that users and devices are properly authorized to\naccess information or information systems. Users and devices must be authenticated to ensure\nthat they are who they identify themselves to be. In most systems, a user name and password\nserve as the primary means of authentication, while the system enforces authorized access rules\nestablished by the system administrator. To ensure that only authorized users and devices have\naccess to a system, policy and procedures must be in place for the creation, distribution,\nmaintenance, and eventual termination of accounts. The use of Personal Identity Verification\n(PIV) cards by all agencies, required by Homeland Security Presidential Directive-12\n(HSPD-12),11 is a major component of a secure, Government-wide account and identity\nmanagement system.\nThe IRS has not fully implemented the following seven identity and access management\nattributes specified by the DHS metrics:\n     3.1.4. If multifactor authentication is in use, it is linked to the organization\xe2\x80\x99s PIV program,\n            where appropriate.\n     3.1.5. Organization has adequately planned for implementation of PIV for logical access in\n            accordance with government policies.\n\n\n\n11\n  On August 27, 2004, President Bush signed HSPD-12, Policy for a Common Identification Standard for Federal\nEmployees and Contractors. This directive established a new standard for issuing and maintaining identification\nbadges for Federal employees and contractors entering Government facilities and accessing computer systems. The\nintent was to improve security, increase Government efficiency, reduce identity fraud, and protect personal privacy.\nAgencies are required to use PIV badges (also referred to as SmartID cards) to access computer systems (logical\naccess).\n                                                                                                           Page 10\n\x0c                   Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n                Information Security Management Act Report for Fiscal Year 2012\n\n\n\n     3.1.6. Ensures that the users are granted access based on needs and separation of duties\n            principles.\n     3.1.7. Identifies devices with Internet Protocol addresses that are attached to the network\n            and distinguishes these devices from users.\n     3.1.8. Identifies all user and nonuser accounts (refers to user accounts that are on a system.)\n     3.1.9. Ensures that accounts are terminated or deactivated once access is no longer required.\n     3.1.10. Identifies and controls use of shared accounts.\n3.1.4. If multifactor authentication is in use, it is linked to the organization\xe2\x80\x99s PIV program,\nwhere appropriate.\nDuring the FY 2012 FISMA evaluation period, the TIGTA concluded fieldwork on an audit to\nevaluate the implementation and security of the IRS\xe2\x80\x99s two-factor authentication for logical\n(system) access.12 The IRS has not deployed multifactor authentication via the use of an\nHSPD-12 PIV card for all users for network and local access to nonprivileged or privileged\naccounts as required by Federal mandate. Therefore, the IRS\xe2\x80\x99s multifactor authentication is not\nyet linked to its PIV program.\n3.1.5. Organization has adequately planned for implementation of PIV for logical access in\naccordance with Government policies.\nThe IRS has experienced significant delays in deploying PIV cards for logical access, which\nreveals the IRS\xe2\x80\x99s inadequate planning efforts. The Federal Government mandated that agencies\nimplement PIV cards to access computer systems in August 2004. The IRS originally planned to\ncomplete the deployment by September 2011. The deployment is now planned to be completed\nby July 2013, but various issues threaten further delays, including:\n     \xef\x82\xb7   The inability of the IRS to require its employees to use their PIV cards for logical access\n         to the network because it did not negotiate mandatory use of the cards with the National\n         Treasury Employees Union.\n     \xef\x82\xb7   Resolving PIV card deployment for system administrators, who currently require separate\n         identities to perform administrator services on computer systems.\n     \xef\x82\xb7   The large number (1,888) of IRS applications that are not yet PIV card-enabled and the\n         lack of resources to change these existing applications.\n\n\n\n\n12\n  TIGTA, Ref. No. 2012-20-115, Using SmartID Cards to Access Computer Systems Is Taking Longer Than\nExpected (Sept. 2012).\n                                                                                                 Page 11\n\x0c                    Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n                 Information Security Management Act Report for Fiscal Year 2012\n\n\n\n3.1.6. Ensures that the users are granted access based on needs and separation of duties\nprinciples.\nTwo of the three GSSs in our sample did not have the controls in place to ensure users are\ngranted access based on needs or to enforce separation of duties. Applications residing on GSSs\noften rely on the GSS to implement these controls; therefore, the applications residing on these\nGSSs would also inherit these weaknesses.\nThe most recent security control assessment for one of the two GSSs that did not have these\ncontrols in place stated that accounts are not managed, enforced, separated, or deployed with\nleast privilege in accordance with IRS policy requirements for all GSS components. Also, the\nmost recent security control assessment for the other GSS found controls for granting access\nbased on needs and for separation of duties were not implemented. For example, the operating\nsystem administrator could perform database administrator functions.\nIn addition, the GAO reported in March 201213 that IRS authorization controls were not always\nfunctioning as intended and access authorization policies were not effectively implemented. For\nexample, systems used to process tax and financial information did not fully prevent access by\nunauthorized users or excessive levels of access for authorized users. In addition, the IRS\xe2\x80\x99s\ncompliance checks revealed unauthorized access to another system. During its monthly\ncompliance check in August 2011, the IRS identified 16 users who had been granted access to\nthe procurement system without receiving approval from the IRS\xe2\x80\x99s authorization system. Also,\nthe data in a shared work area used to support accounting operations were fully accessible by\nnetwork administration staff although they did not need such access.\n3.1.7. Identifies devices with Internet Protocol addresses that are attached to the network\nand distinguishes these devices from users.\nThe IRS informed us that Business DNA will be its enterprise asset discovery tool for identifying\ndevices on its network. Business DNA network scans can identify devices with Internet Protocol\naddresses that are attached to the network and distinguish these devices from users. However,\nthe full implementation of the Business DNA tool is not expected to be completed until\nSeptember 2012. Therefore, the IRS has not yet fully implemented this attribute.\nWe also found that one of our three sample GSSs did not have device identification and\nauthentication in place. It did not uniquely identify and authenticate devices or users before\nestablishing a connection. Also, its firewalls did not use the Terminal Access Controller Access\nControl System14 to authenticate organization users or devices. Rather, these firewalls were\naccessed via a shared administrator account.\n\n\n13\n   GAO, GAO-12-393, IRS Needs to Further Enhance Internal Control Over Financial Reporting and Taxpayer\nData (Mar. 2012).\n14\n   An enterprise access control security system that provides device/network access authentication, authorization,\nand accounting.\n                                                                                                            Page 12\n\x0c                   Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n                Information Security Management Act Report for Fiscal Year 2012\n\n\n\n3.1.8. Identifies all user and nonuser accounts.\nNo information was provided to determine how the IRS identifies all user and nonuser accounts.\n3.1.9. Ensures that accounts are terminated or deactivated once access is no longer\nrequired.\nThree of our 10 sample systems (two GSSs and one application) did not have controls in place to\nensure accounts are terminated or deactivated once access is no longer needed. The most recent\nsecurity control assessment for one GSS found:\n     \xef\x82\xb7   The system did not disable inactive accounts after 120 days of inactivity and did not\n         employ automated mechanisms to audit account creation, modification, disabling, and\n         termination actions.\n     \xef\x82\xb7   Evidence was not provided to ensure system accounts are reviewed at least annually.\n     \xef\x82\xb7   The system was not configured to notify appropriate individuals when accounts were\n         modified.\n     \xef\x82\xb7   Evidence was not provided to ensure system accounts were reviewed at least annually\n         and automated mechanisms were employed to support system account management\n         functions.\n     \xef\x82\xb7   No automated mechanisms existed to support information system account management\n         functions.\n     \xef\x82\xb7   Inactive accounts were not automatically disabled.\nFor the other GSS, the most recent security control assessment found:\n     \xef\x82\xb7   Accounts were not automatically disabled.\n     \xef\x82\xb7   The log files did not contain any evidence of logging the account creation, modification,\n         disabling, and termination actions of a user account.\nFor the one application, its most recent security control assessment found that it did not disable\naccounts after 45 days or remove accounts after 90 days of inactivity.\nFurther, the GAO reported in March 201215 that the IRS had not taken actions to remove active\napplication accounts in a timely manner for employees who had separated or no longer needed\naccess.\n\n\n\n\n15\n GAO, GAO-12-393, IRS Needs to Further Enhance Internal Control Over Financial Reporting and Taxpayer\nData (Mar. 2012).\n                                                                                                Page 13\n\x0c                   Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n                Information Security Management Act Report for Fiscal Year 2012\n\n\n\n3.1.10. Identifies and controls use of shared accounts.\nOne of the GSSs in our sample was not adequately identifying and controlling use of shared\naccounts. The most recent security control assessment found that the administrative account for\nthis GSS was shared. For example, the operating system administrator had the ability to \xe2\x80\x9cswitch\nuser\xe2\x80\x9d into Oracle using the \xe2\x80\x9croot\xe2\x80\x9d password. This login process is not uniquely linked to any one\nindividual. Rather, this access is \xe2\x80\x9cshared\xe2\x80\x9d among the operating system administrators. Sharing\nthis account in this manner allows fully privileged actions to be taken on the system without any\naccountability. In addition, passwords were stored and transmitted in plaintext.\nAlso, in June 2012, the TIGTA reported16 that administrative accounts on Windows servers were\nnot being properly safeguarded in accordance with IRS policy. Specifically, administrators in\ntwo IRS organizations were using the built-in system administrator accounts to perform normal\nadministrative duties rather than only in emergencies as required by IRS policy. Seven\nadministrators in one organization and 14 administrators in the other were sharing the password\nto the built-in accounts and were using these accounts for administrative tasks rather than using\ntheir unique role-based administrator accounts. Consequently, individual accountability was lost\nas to by whom and for what purposes these full-privileged accounts were being accessed.\n\nSecurity Training\nThe FISMA requires all Government personnel and contractors to complete annual security\nawareness training that provides instruction on threats to data security and responsibilities for\ninformation protection. It also requires specialized training for personnel and contractors with\nsignificant security responsibilities. Without adequate security training programs, agencies\ncannot provide appropriate training or ensure that all personnel receive the required training.\nThe IRS had not fully implemented the following security training attribute specified by the DHS\nmetrics: 6.1.5. Identification and tracking of the status of specialized training for all personnel\n(including employees, contractors, and other organization users) with significant information\nsecurity responsibilities that require specialized training.\n6.1.5. Identification and tracking of the status of specialized training for all personnel\n(including employees, contractors, and other organization users) with significant\ninformation security responsibilities that require specialized training.\nThe DHS provided clarification for this attribute as it relates to contractors, stating that agencies\nshould be providing and tracking completion of specialized training for contractors just as they\nwould for Federal employees. The specialized training requirement is based on the role of the\ncontractor, not just on contractor status. Whoever holds a significant security role needs to\nreceive specialized role-based training.\n\n16\n  TIGTA, Ref. No. 2012-20-063, Enterprise-Level Oversight Is Needed to Ensure Adherence to Windows Server\nSecurity Policies (June 2012).\n                                                                                                   Page 14\n\x0c                 Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n              Information Security Management Act Report for Fiscal Year 2012\n\n\n\nThe IRS has not fully implemented identification and tracking of the status of specialized\nrole-based training for contractors. However, the IRS stated it is making plans to implement\nsuch tracking by October 15, 2012. The Contractor Security Management office in the\nAgency-Wide Shared Services organization is currently leading efforts to modify its contractor\ntracking system to allow the identification of those contractors with significant security\nresponsibilities, with subsequent plans to implement a process to monitor and track completion\nof contractor specialized training. Once identified, the IRS would rely on the contractors to\nprovide and self-report the completion of their required specialized training hours. Preliminary\nIRS results indicated that 919 such contractors were employed during the FISMA FY 2012\nreporting period, with only 99 of those having confirmed that they completed the required\ntraining.\nThe IRS did not agree that it should provide specialized training for contractors and supported its\nposition by citing the U.S. Office of Personnel Management\xe2\x80\x99s Training Policy Handbook, which\nstates:\n       Since contractors are selected for their expertise in a subject area, contractors may only\n       be trained in skills they are not required to bring to the job. Contractors may be trained\n       in rules, practices, procedures, and/or systems that are unique to the employing agency\n       and essential to the performance of the contractor\xe2\x80\x99s assigned duties, such as agency\n       computer security procedures. However, the authority for training of contractors is not\n       in training law. It is in the authority to administer contracts. Training of contractors is\n       subject to the decision of the chief contracting official.\nThe IRS stated that to require it to provide, track, and report specialized training completions for\ncontractors would present significant challenges, including requiring thousands of contract\nlanguage modifications before it could enforce this requirement for contract employees.\n\n\n\n\n                                                                                            Page 15\n\x0c                   Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n                Information Security Management Act Report for Fiscal Year 2012\n\n\n\n                                                                                           Appendix I\n\n                  Fiscal Year 2012 Reporting Metrics\n\nPresented below is the list of reporting metrics questions and information as detailed in the\nFiscal Year 2012 Inspector General Federal Information Security Management Act (FISMA)\nReporting Metrics.1 The list is presented in its entirety, along with the accompanying Purpose\nand Use information. Following each metric is a notation identifying each individual question as\nan Administration Priority (AP), a Key FISMA Metric (KFM), or a Baseline Question (Base).\nMany abbreviations in this list are used as presented in the original document and are not defined\ntherein. However, we have provided the definitions in the Abbreviations page after the Table of\nContents of this report.\n\n1.      CONTINUOUS\tMONITORING\tMANAGEMENT\t\t\n        1.1.    Has\xc2\xa0the\xc2\xa0organization\xc2\xa0established\xc2\xa0an\xc2\xa0enterprise\xe2\x80\x90wide\xc2\xa0continuous\xc2\xa0monitoring\xc2\xa0program\xc2\xa0\n                that\xc2\xa0assesses\xc2\xa0the\xc2\xa0security\xc2\xa0state\xc2\xa0of\xc2\xa0information\xc2\xa0systems\xc2\xa0that\xc2\xa0is\xc2\xa0consistent\xc2\xa0with\xc2\xa0FISMA\xc2\xa0\n                requirements,\xc2\xa0OMB\xc2\xa0policy,\xc2\xa0and\xc2\xa0applicable\xc2\xa0NIST\xc2\xa0guidelines?\xc2\xa0\xc2\xa0If\xc2\xa0yes,\xc2\xa0besides\xc2\xa0the\xc2\xa0\n                improvement\xc2\xa0opportunities\xc2\xa0that\xc2\xa0may\xc2\xa0have\xc2\xa0been\xc2\xa0identified\xc2\xa0by\xc2\xa0the\xc2\xa0OIG,\xc2\xa0does\xc2\xa0the\xc2\xa0\n                program\xc2\xa0include\xc2\xa0the\xc2\xa0following\xc2\xa0attributes:\xc2\xa0\n                1.1.1. Documented\xc2\xa0policies\xc2\xa0and\xc2\xa0procedures\xc2\xa0for\xc2\xa0continuous\xc2\xa0monitoring\xc2\xa0(NIST\xc2\xa0800\xe2\x80\x9053:\xc2\xa0\n                       CA\xe2\x80\x907).\xc2\xa0(AP)\xc2\xa0\n                1.1.2. Documented\xc2\xa0strategy\xc2\xa0and\xc2\xa0plans\xc2\xa0for\xc2\xa0continuous\xc2\xa0monitoring\xc2\xa0(NIST\xc2\xa0800\xe2\x80\x9037\xc2\xa0Rev.\xc2\xa01,\xc2\xa0\n                       Appendix\xc2\xa0G).\xc2\xa0(AP)\xc2\xa0\n                1.1.3. Ongoing\xc2\xa0assessments\xc2\xa0of\xc2\xa0security\xc2\xa0controls\xc2\xa0(system\xe2\x80\x90specific,\xc2\xa0hybrid,\xc2\xa0and\xc2\xa0common)\xc2\xa0\n                         that\xc2\xa0have\xc2\xa0been\xc2\xa0performed\xc2\xa0based\xc2\xa0on\xc2\xa0the\xc2\xa0approved\xc2\xa0continuous\xc2\xa0monitoring\xc2\xa0plans\xc2\xa0\n                         (NIST\xc2\xa0800\xe2\x80\x9053,\xc2\xa0NIST\xc2\xa0800\xe2\x80\x9053A).\xc2\xa0(AP)\xc2\xa0\n                1.1.4. Provides\xc2\xa0authorizing\xc2\xa0officials\xc2\xa0and\xc2\xa0other\xc2\xa0key\xc2\xa0system\xc2\xa0officials\xc2\xa0with\xc2\xa0security\xc2\xa0status\xc2\xa0\n                         reports\xc2\xa0covering\xc2\xa0updates\xc2\xa0to\xc2\xa0security\xc2\xa0plans\xc2\xa0and\xc2\xa0security\xc2\xa0assessment\xc2\xa0reports\xc2\xa0as\xc2\xa0\n                         well\xc2\xa0as\xc2\xa0POA&M\xc2\xa0additions\xc2\xa0and\xc2\xa0updates,\xc2\xa0with\xc2\xa0the\xc2\xa0frequency\xc2\xa0defined\xc2\xa0in\xc2\xa0the\xc2\xa0\n                         strategy\xc2\xa0and/or\xc2\xa0plans\xc2\xa0(NIST\xc2\xa0800\xe2\x80\x9053,\xc2\xa0NIST\xc2\xa0800\xe2\x80\x9053A).\xc2\xa0(AP)\xc2\xa0\n\n\n\n\n1\n U.S. Department of Homeland Security, National Cyber Security Division, Fiscal Year 2012 Inspector General\nFederal Information Security Management Act Reporting Metrics, pp. 6\xe2\x80\x9317 (Mar. 2012). The FISMA is encoded in\nTitle III of the E-Government Act of 2002; Pub. L. No. 107-374, 116 Stat. 2899.\n                                                                                                   Page 16\n\x0c                   Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n                Information Security Management Act Report for Fiscal Year 2012\n\n\n\n         1.2.    Please\xc2\xa0provide\xc2\xa0any\xc2\xa0additional\xc2\xa0information\xc2\xa0on\xc2\xa0the\xc2\xa0effectiveness\xc2\xa0of\xc2\xa0the\xc2\xa0organization\xe2\x80\x99s\xc2\xa0\n                 continuous\xc2\xa0monitoring\xc2\xa0management\xc2\xa0program\xc2\xa0that\xc2\xa0was\xc2\xa0not\xc2\xa0noted\xc2\xa0in\xc2\xa0the\xc2\xa0questions\xc2\xa0\n                 above.\xc2\xa0\nPurpose\xc2\xa0and\xc2\xa0Use\xc2\xa0\xc2\xa0\nThese\xc2\xa0questions\xc2\xa0are\xc2\xa0being\xc2\xa0asked\xc2\xa0for\xc2\xa0the\xc2\xa0following\xc2\xa0reasons:\xc2\xa0\xc2\xa0\n     \xef\x82\xb7   The\xc2\xa0Federal\xc2\xa0Continuous\xc2\xa0Monitoring\xc2\xa0Working\xc2\xa0Group\xc2\xa0(CMWG)\xc2\xa0has\xc2\xa0determined\xc2\xa0that\xc2\xa0continuous\xc2\xa0\n         monitoring\xc2\xa0(CM)\xc2\xa0of\xc2\xa0configurations\xc2\xa0is\xc2\xa0one\xc2\xa0of\xc2\xa0the\xc2\xa0first\xc2\xa0areas\xc2\xa0where\xc2\xa0CM\xc2\xa0capabilities\xc2\xa0need\xc2\xa0to\xc2\xa0be\xc2\xa0\n         developed.\xc2\xa0\xc2\xa0This\xc2\xa0applies\xc2\xa0to\xc2\xa0both\xc2\xa0operating\xc2\xa0systems\xc2\xa0and\xc2\xa0widely\xc2\xa0used\xc2\xa0applications.\xc2\xa0\xc2\xa0\n     \xef\x82\xb7   Even\xc2\xa0with\xc2\xa0a\xc2\xa0completely\xc2\xa0hardened\xc2\xa0system,\xc2\xa0exploitation\xc2\xa0may\xc2\xa0still\xc2\xa0occur\xc2\xa0due\xc2\xa0to\xc2\xa0zero\xe2\x80\x90day\xc2\xa0\n         vulnerabilities.\xc2\xa0\xc2\xa0However,\xc2\xa0this\xc2\xa0forces\xc2\xa0attackers\xc2\xa0to\xc2\xa0elevate\xc2\xa0their\xc2\xa0sophistication\xc2\xa0for\xc2\xa0successful\xc2\xa0\n         attacks.\xc2\xa0\xc2\xa0\n     \xef\x82\xb7   Rather,\xc2\xa0a\xc2\xa0robust\xc2\xa0continuous\xc2\xa0monitoring\xc2\xa0solution\xc2\xa0will\xc2\xa0be\xc2\xa0able\xc2\xa0to\xc2\xa0provide\xc2\xa0additional\xc2\xa0visibility\xc2\xa0for\xc2\xa0\n         organizations\xc2\xa0to\xc2\xa0identify\xc2\xa0signs\xc2\xa0of\xc2\xa0compromise,\xc2\xa0though\xc2\xa0no\xc2\xa0single\xc2\xa0indicator\xc2\xa0may\xc2\xa0identify\xc2\xa0a\xc2\xa0\n         definitive\xc2\xa0incident.\xc2\xa0\xc2\xa0\n\n2.       CONFIGURATION\tMANAGEMENT\t\t\n         2.1.    Has\xc2\xa0the\xc2\xa0organization\xc2\xa0established\xc2\xa0a\xc2\xa0security\xc2\xa0configuration\xc2\xa0management\xc2\xa0program\xc2\xa0that\xc2\xa0is\xc2\xa0\n                 consistent\xc2\xa0with\xc2\xa0FISMA\xc2\xa0requirements,\xc2\xa0OMB\xc2\xa0policy,\xc2\xa0and\xc2\xa0applicable\xc2\xa0NIST\xc2\xa0guidelines?\xc2\xa0\xc2\xa0If\xc2\xa0\n                 yes,\xc2\xa0besides\xc2\xa0the\xc2\xa0improvement\xc2\xa0opportunities\xc2\xa0that\xc2\xa0may\xc2\xa0have\xc2\xa0been\xc2\xa0identified\xc2\xa0by\xc2\xa0the\xc2\xa0OIG,\xc2\xa0\n                 does\xc2\xa0the\xc2\xa0program\xc2\xa0include\xc2\xa0the\xc2\xa0following\xc2\xa0attributes:\xc2\xa0\n                 2.1.1. Documented\xc2\xa0policies\xc2\xa0and\xc2\xa0procedures\xc2\xa0for\xc2\xa0configuration\xc2\xa0management.\xc2\xa0(Base)\xc2\xa0\n                 2.1.2. Standard\xc2\xa0baseline\xc2\xa0configurations\xc2\xa0defined.\xc2\xa0(Base)\xc2\xa0\n                 2.1.3. Assessing\xc2\xa0for\xc2\xa0compliance\xc2\xa0with\xc2\xa0baseline\xc2\xa0configurations.\xc2\xa0(Base)\xc2\xa0\n                 2.1.4. Process\xc2\xa0for\xc2\xa0timely,\xc2\xa0as\xc2\xa0specified\xc2\xa0in\xc2\xa0organization\xc2\xa0policy\xc2\xa0or\xc2\xa0standards,\xc2\xa0remediation\xc2\xa0\n                        of\xc2\xa0scan\xc2\xa0result\xc2\xa0deviations.\xc2\xa0(Base)\xc2\xa0\n                 2.1.5. For\xc2\xa0Windows\xe2\x80\x90based\xc2\xa0components,\xc2\xa0FDCC/USGCB\xc2\xa0secure\xc2\xa0configuration\xc2\xa0settings\xc2\xa0\n                         fully\xc2\xa0implemented\xc2\xa0and\xc2\xa0any\xc2\xa0deviations\xc2\xa0from\xc2\xa0FDCC/USGCB\xc2\xa0baseline\xc2\xa0settings\xc2\xa0fully\xc2\xa0\n                         documented.\xc2\xa0(Base)\xc2\xa0\n                 2.1.6. Documented\xc2\xa0proposed\xc2\xa0or\xc2\xa0actual\xc2\xa0changes\xc2\xa0to\xc2\xa0hardware\xc2\xa0and\xc2\xa0software\xc2\xa0\n                        configurations.\xc2\xa0(Base)\xc2\xa0\n                 2.1.7. Process\xc2\xa0for\xc2\xa0timely\xc2\xa0and\xc2\xa0secure\xc2\xa0installation\xc2\xa0of\xc2\xa0software\xc2\xa0patches.\xc2\xa0(Base)\xc2\xa0\n                 2.1.8. Software\xc2\xa0assessing\xc2\xa0(scanning)\xc2\xa0capabilities\xc2\xa0are\xc2\xa0fully\xc2\xa0implemented\xc2\xa0(NIST\xc2\xa0800\xe2\x80\x9053:\xc2\xa0\n                        RA\xe2\x80\x905,\xc2\xa0SI\xe2\x80\x902).\xc2\xa0(Base)\xc2\xa0\n\n\n                                                                                                     Page 17\n\x0c                   Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n                Information Security Management Act Report for Fiscal Year 2012\n\n\n\n                2.1.9. Configuration\xe2\x80\x90related\xc2\xa0vulnerabilities,\xc2\xa0including\xc2\xa0scan\xc2\xa0findings,\xc2\xa0have\xc2\xa0been\xc2\xa0\n                        remediated\xc2\xa0in\xc2\xa0a\xc2\xa0timely\xc2\xa0manner,\xc2\xa0as\xc2\xa0specified\xc2\xa0in\xc2\xa0organization\xc2\xa0policy\xc2\xa0or\xc2\xa0standards.\xc2\xa0\n                        (NIST\xc2\xa0800\xe2\x80\x9053:\xc2\xa0CM\xe2\x80\x904,\xc2\xa0CM\xe2\x80\x906,\xc2\xa0RA\xe2\x80\x905,\xc2\xa0SI\xe2\x80\x902).\xc2\xa0(Base)\xc2\xa0\n                2.1.10. Patch\xc2\xa0management\xc2\xa0process\xc2\xa0is\xc2\xa0fully\xc2\xa0developed,\xc2\xa0as\xc2\xa0specified\xc2\xa0in\xc2\xa0organization\xc2\xa0policy\xc2\xa0\n                        or\xc2\xa0standards.\xc2\xa0(NIST\xc2\xa0800\xe2\x80\x9053:\xc2\xa0CM\xe2\x80\x903,\xc2\xa0SI\xe2\x80\x902).\xc2\xa0(Base)\xc2\xa0\n         2.2.   Please\xc2\xa0provide\xc2\xa0any\xc2\xa0additional\xc2\xa0information\xc2\xa0on\xc2\xa0the\xc2\xa0effectiveness\xc2\xa0of\xc2\xa0the\xc2\xa0organization\xe2\x80\x99s\xc2\xa0\n                configuration\xc2\xa0management\xc2\xa0program\xc2\xa0that\xc2\xa0was\xc2\xa0not\xc2\xa0noted\xc2\xa0in\xc2\xa0the\xc2\xa0questions\xc2\xa0above.\xc2\xa0\nPurpose\xc2\xa0and\xc2\xa0Use\xc2\xa0\xc2\xa0\nThese\xc2\xa0questions\xc2\xa0are\xc2\xa0being\xc2\xa0asked\xc2\xa0for\xc2\xa0the\xc2\xa0following\xc2\xa0reasons:\xc2\xa0\xc2\xa0\n     \xef\x82\xb7   A\xc2\xa0key\xc2\xa0goal\xc2\xa0of\xc2\xa0configuration\xc2\xa0management\xc2\xa0is\xc2\xa0to\xc2\xa0make\xc2\xa0assets\xc2\xa0harder\xc2\xa0to\xc2\xa0exploit\xc2\xa0through\xc2\xa0better\xc2\xa0\n         configuration.\xc2\xa0\xc2\xa0\n     \xef\x82\xb7   A\xc2\xa0key\xc2\xa0assumption\xc2\xa0is\xc2\xa0that\xc2\xa0configuration\xc2\xa0management\xc2\xa0covers\xc2\xa0the\xc2\xa0universe\xc2\xa0of\xc2\xa0assets\xc2\xa0to\xc2\xa0which\xc2\xa0\n         other\xc2\xa0controls\xc2\xa0need\xc2\xa0to\xc2\xa0be\xc2\xa0applied\xc2\xa0(controls\xc2\xa0that\xc2\xa0are\xc2\xa0defined\xc2\xa0under\xc2\xa0asset\xc2\xa0management).\xc2\xa0\xc2\xa0\n     \xef\x82\xb7   To\xc2\xa0have\xc2\xa0a\xc2\xa0capable\xc2\xa0configuration\xc2\xa0management\xc2\xa0program,\xc2\xa0the\xc2\xa0configuration\xc2\xa0management\xc2\xa0\n         capability\xc2\xa0needs\xc2\xa0to\xc2\xa0be:\xc2\xa0\xc2\xa0\n            o   Relatively\xc2\xa0complete,\xc2\xa0covering\xc2\xa0enough\xc2\xa0of\xc2\xa0the\xc2\xa0software\xc2\xa0base\xc2\xa0to\xc2\xa0significantly\xc2\xa0increase\xc2\xa0the\xc2\xa0\n                effort\xc2\xa0required\xc2\xa0for\xc2\xa0a\xc2\xa0successful\xc2\xa0attack.\xc2\xa0\xc2\xa0\n            o   Relatively\xc2\xa0timely,\xc2\xa0being\xc2\xa0able\xc2\xa0to\xc2\xa0find\xc2\xa0and\xc2\xa0fix\xc2\xa0configuration\xc2\xa0deviations\xc2\xa0faster\xc2\xa0than\xc2\xa0they\xc2\xa0can\xc2\xa0\n                be\xc2\xa0exploited.\xc2\xa0\xc2\xa0\n\n3.       IDENTITY\tAND\tACCESS\tMANAGEMENT\xc2\xa0\n         3.1.   Has\xc2\xa0the\xc2\xa0organization\xc2\xa0established\xc2\xa0an\xc2\xa0identity\xc2\xa0and\xc2\xa0access\xc2\xa0management\xc2\xa0program\xc2\xa0that\xc2\xa0is\xc2\xa0\n                consistent\xc2\xa0with\xc2\xa0FISMA\xc2\xa0requirements,\xc2\xa0OMB\xc2\xa0policy,\xc2\xa0and\xc2\xa0applicable\xc2\xa0NIST\xc2\xa0guidelines\xc2\xa0and\xc2\xa0\n                identifies\xc2\xa0users\xc2\xa0and\xc2\xa0network\xc2\xa0devices?\xc2\xa0\xc2\xa0If\xc2\xa0yes,\xc2\xa0besides\xc2\xa0the\xc2\xa0improvement\xc2\xa0opportunities\xc2\xa0\n                that\xc2\xa0have\xc2\xa0been\xc2\xa0identified\xc2\xa0by\xc2\xa0the\xc2\xa0OIG,\xc2\xa0does\xc2\xa0the\xc2\xa0program\xc2\xa0include\xc2\xa0the\xc2\xa0following\xc2\xa0attributes:\xc2\xa0\n                3.1.1. Documented\xc2\xa0policies\xc2\xa0and\xc2\xa0procedures\xc2\xa0for\xc2\xa0account\xc2\xa0and\xc2\xa0identity\xc2\xa0management\xc2\xa0\n                       (NIST\xc2\xa0800\xe2\x80\x9053:\xc2\xa0AC\xe2\x80\x901).\xc2\xa0(Base)\xc2\xa0\n                3.1.2. Identifies\xc2\xa0all\xc2\xa0users,\xc2\xa0including\xc2\xa0Federal\xc2\xa0employees,\xc2\xa0contractors,\xc2\xa0and\xc2\xa0others\xc2\xa0who\xc2\xa0\n                       access\xc2\xa0organization\xc2\xa0systems\xc2\xa0(NIST\xc2\xa0800\xe2\x80\x9053,\xc2\xa0AC\xe2\x80\x902).\xc2\xa0(Base)\xc2\xa0\n                3.1.3. Identifies\xc2\xa0when\xc2\xa0special\xc2\xa0access\xc2\xa0requirements\xc2\xa0(e.g.,\xc2\xa0multifactor\xc2\xa0authentication)\xc2\xa0\n                       are\xc2\xa0necessary.\xc2\xa0(Base)\xc2\xa0\n                3.1.4. If\xc2\xa0multifactor\xc2\xa0authentication\xc2\xa0is\xc2\xa0in\xc2\xa0use,\xc2\xa0it\xc2\xa0is\xc2\xa0linked\xc2\xa0to\xc2\xa0the\xc2\xa0organization\xe2\x80\x99s\xc2\xa0PIV\xc2\xa0\n                       program,\xc2\xa0where\xc2\xa0appropriate\xc2\xa0(NIST\xc2\xa0800\xe2\x80\x9053,\xc2\xa0IA\xe2\x80\x902).\xc2\xa0(KFM)\xc2\xa0\n\n\n                                                                                                     Page 18\n\x0c                  Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n               Information Security Management Act Report for Fiscal Year 2012\n\n\n\n                3.1.5. Organization\xc2\xa0has\xc2\xa0adequately\xc2\xa0planned\xc2\xa0for\xc2\xa0implementation\xc2\xa0of\xc2\xa0PIV\xc2\xa0for\xc2\xa0logical\xc2\xa0\n                        access\xc2\xa0in\xc2\xa0accordance\xc2\xa0with\xc2\xa0Government\xc2\xa0policies\xc2\xa0(HSPD\xe2\x80\x9012,\xc2\xa0FIPS\xc2\xa0201,\xc2\xa0\n                        OMB\xc2\xa0M\xe2\x80\x9005\xe2\x80\x9024,\xc2\xa0OMB\xc2\xa0M\xe2\x80\x9007\xe2\x80\x9006,\xc2\xa0OMB\xc2\xa0M\xe2\x80\x9008\xe2\x80\x9001,\xc2\xa0OMB\xc2\xa0M\xe2\x80\x9011\xe2\x80\x9011).\xc2\xa0(AP)\xc2\xa0\n                3.1.6. Ensures\xc2\xa0that\xc2\xa0the\xc2\xa0users\xc2\xa0are\xc2\xa0granted\xc2\xa0access\xc2\xa0based\xc2\xa0on\xc2\xa0needs\xc2\xa0and\xc2\xa0separation\xc2\xa0of\xc2\xa0\n                       duties\xc2\xa0principles.\xc2\xa0(Base)\xc2\xa0\n                3.1.7. Identifies\xc2\xa0devices\xc2\xa0with\xc2\xa0IP\xc2\xa0addresses\xc2\xa0that\xc2\xa0are\xc2\xa0attached\xc2\xa0to\xc2\xa0the\xc2\xa0network\xc2\xa0and\xc2\xa0\n                        distinguishes\xc2\xa0these\xc2\xa0devices\xc2\xa0from\xc2\xa0users.\xc2\xa0\xc2\xa0(For\xc2\xa0example:\xc2\xa0\xc2\xa0IP\xc2\xa0phones,\xc2\xa0faxes,\xc2\xa0and\xc2\xa0\n                        printers\xc2\xa0are\xc2\xa0examples\xc2\xa0of\xc2\xa0devices\xc2\xa0attached\xc2\xa0to\xc2\xa0the\xc2\xa0network\xc2\xa0that\xc2\xa0are\xc2\xa0\n                        distinguishable\xc2\xa0from\xc2\xa0desktops,\xc2\xa0laptops,\xc2\xa0or\xc2\xa0servers\xc2\xa0that\xc2\xa0have\xc2\xa0user\xc2\xa0accounts.)\xc2\xa0\n                        (Base)\xc2\xa0\n                3.1.8. Identifies\xc2\xa0all\xc2\xa0user\xc2\xa0and\xc2\xa0nonuser\xc2\xa0accounts\xc2\xa0(refers\xc2\xa0to\xc2\xa0user\xc2\xa0accounts\xc2\xa0that\xc2\xa0are\xc2\xa0on\xc2\xa0a\xc2\xa0\n                        system.\xc2\xa0\xc2\xa0Examples\xc2\xa0of\xc2\xa0nonuser\xc2\xa0accounts\xc2\xa0are\xc2\xa0accounts\xc2\xa0such\xc2\xa0as\xc2\xa0an\xc2\xa0IP\xc2\xa0that\xc2\xa0is\xc2\xa0set\xc2\xa0up\xc2\xa0\n                        for\xc2\xa0printing.\xc2\xa0\xc2\xa0Data\xc2\xa0user\xc2\xa0accounts\xc2\xa0are\xc2\xa0created\xc2\xa0to\xc2\xa0pull\xc2\xa0generic\xc2\xa0information\xc2\xa0from\xc2\xa0a\xc2\xa0\n                        database\xc2\xa0or\xc2\xa0a\xc2\xa0guest/anonymous\xc2\xa0account\xc2\xa0for\xc2\xa0generic\xc2\xa0login\xc2\xa0purposes\xc2\xa0that\xc2\xa0are\xc2\xa0not\xc2\xa0\n                        associated\xc2\xa0with\xc2\xa0a\xc2\xa0single\xc2\xa0user\xc2\xa0or\xc2\xa0a\xc2\xa0specific\xc2\xa0group\xc2\xa0of\xc2\xa0users.)\xc2\xa0(Base)\xc2\xa0\n                3.1.9. Ensures\xc2\xa0that\xc2\xa0accounts\xc2\xa0are\xc2\xa0terminated\xc2\xa0or\xc2\xa0deactivated\xc2\xa0once\xc2\xa0access\xc2\xa0is\xc2\xa0no\xc2\xa0longer\xc2\xa0\n                       required.\xc2\xa0(Base)\xc2\xa0\n                3.1.10. Identifies\xc2\xa0and\xc2\xa0controls\xc2\xa0use\xc2\xa0of\xc2\xa0shared\xc2\xa0accounts.\xc2\xa0(Base)\xc2\xa0\n        3.2.    Please\xc2\xa0provide\xc2\xa0any\xc2\xa0additional\xc2\xa0information\xc2\xa0on\xc2\xa0the\xc2\xa0effectiveness\xc2\xa0of\xc2\xa0the\xc2\xa0organization\xe2\x80\x99s\xc2\xa0\n                identity\xc2\xa0and\xc2\xa0access\xc2\xa0management\xc2\xa0program\xc2\xa0that\xc2\xa0was\xc2\xa0not\xc2\xa0noted\xc2\xa0in\xc2\xa0the\xc2\xa0questions\xc2\xa0above.\xc2\xa0\nPurpose\xc2\xa0and\xc2\xa0Use\xc2\xa0\xc2\xa0\nThese\xc2\xa0questions\xc2\xa0are\xc2\xa0being\xc2\xa0asked\xc2\xa0for\xc2\xa0the\xc2\xa0following\xc2\xa0reasons:\xc2\xa0\xc2\xa0\n    \xef\x82\xb7   OMB\xc2\xa0and\xc2\xa0DHS\xc2\xa0have\xc2\xa0determined\xc2\xa0that\xc2\xa0Federal\xc2\xa0identity\xc2\xa0management\xc2\xa0(HSPD\xe2\x80\x9012)\xc2\xa0is\xc2\xa0among\xc2\xa0the\xc2\xa0\n        areas\xc2\xa0where\xc2\xa0additional\xc2\xa0controls\xc2\xa0need\xc2\xa0to\xc2\xa0be\xc2\xa0developed.\xc2\xa0\xc2\xa0See\xc2\xa0also\xc2\xa0OMB\xc2\xa0M\xe2\x80\x9004\xe2\x80\x9004\xc2\xa0for\xc2\xa0web\xe2\x80\x90based\xc2\xa0\n        systems.\xc2\xa0\xc2\xa0\n    \xef\x82\xb7   Strong\xc2\xa0information\xc2\xa0system\xc2\xa0authentication\xc2\xa0requires\xc2\xa0multiple\xc2\xa0factors\xc2\xa0to\xc2\xa0securely\xc2\xa0authenticate\xc2\xa0a\xc2\xa0\n        user.\xc2\xa0\xc2\xa0Secure\xc2\xa0authentication\xc2\xa0requires\xc2\xa0something\xc2\xa0you\xc2\xa0have,\xc2\xa0something\xc2\xa0you\xc2\xa0are,\xc2\xa0and\xc2\xa0something\xc2\xa0\n        you\xc2\xa0know.\xc2\xa0\xc2\xa0A\xc2\xa0single\xe2\x80\x90factor\xc2\xa0authentication\xc2\xa0mechanism,\xc2\xa0such\xc2\xa0as\xc2\xa0a\xc2\xa0username\xc2\xa0and\xc2\xa0password,\xc2\xa0is\xc2\xa0\n        insufficient\xc2\xa0to\xc2\xa0block\xc2\xa0even\xc2\xa0basic\xc2\xa0attackers.\xc2\xa0\xc2\xa0\n    \xef\x82\xb7   The\xc2\xa0USG\xc2\xa0will\xc2\xa0first\xc2\xa0move\xc2\xa0to\xc2\xa0a\xc2\xa0two\xe2\x80\x90factor\xc2\xa0authentication\xc2\xa0using\xc2\xa0PIV\xc2\xa0cards,\xc2\xa0though\xc2\xa0a\xc2\xa0stronger\xc2\xa0\n        authentication\xc2\xa0solution\xc2\xa0would\xc2\xa0include\xc2\xa0all\xc2\xa0three\xc2\xa0factors.\xc2\xa0\n    \xef\x82\xb7   Enhanced\xc2\xa0identity\xc2\xa0management\xc2\xa0solutions\xc2\xa0also\xc2\xa0support\xc2\xa0the\xc2\xa0adoption\xc2\xa0of\xc2\xa0additional\xc2\xa0nonsecurity\xc2\xa0\n        benefits,\xc2\xa0such\xc2\xa0as\xc2\xa0single\xc2\xa0sign\xe2\x80\x90on,\xc2\xa0more\xc2\xa0useable\xc2\xa0systems,\xc2\xa0and\xc2\xa0enhanced\xc2\xa0identity\xc2\xa0capabilities\xc2\xa0for\xc2\xa0\n        legal\xc2\xa0and\xc2\xa0nonrepudiation\xc2\xa0needs.\xc2\xa0\xc2\xa0\n\n\n                                                                                                 Page 19\n\x0c                     Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n                  Information Security Management Act Report for Fiscal Year 2012\n\n\n\n     \xef\x82\xb7   A\xc2\xa0key\xc2\xa0goal\xc2\xa0of\xc2\xa0identity\xc2\xa0and\xc2\xa0access\xc2\xa0management\xc2\xa0is\xc2\xa0to\xc2\xa0make\xc2\xa0sure\xc2\xa0that\xc2\xa0access\xc2\xa0rights\xc2\xa0are\xc2\xa0only\xc2\xa0given\xc2\xa0\n         to\xc2\xa0the\xc2\xa0intended\xc2\xa0individuals\xc2\xa0and/or\xc2\xa0processes.2 \xc2\xa0\n     \xef\x82\xb7   To\xc2\xa0have\xc2\xa0a\xc2\xa0capable\xc2\xa0identity\xc2\xa0management\xc2\xa0program,\xc2\xa0this\xc2\xa0capability\xc2\xa0needs\xc2\xa0to\xc2\xa0be:\xc2\xa0\xc2\xa0\n              o   Relatively\xc2\xa0complete,\xc2\xa0covering\xc2\xa0all\xc2\xa0accounts.\xc2\xa0\xc2\xa0\n              o   Relatively\xc2\xa0timely,\xc2\xa0being\xc2\xa0able\xc2\xa0to\xc2\xa0find\xc2\xa0and\xc2\xa0remove\xc2\xa0stale\xc2\xa0or\xc2\xa0compromised\xc2\xa0accounts\xc2\xa0faster\xc2\xa0\n                  than\xc2\xa0they\xc2\xa0can\xc2\xa0be\xc2\xa0exploited.\xc2\xa0\xc2\xa0\n\n4.       INCIDENT\tRESPONSE\tAND\tREPORTING\xc2\xa0\n         4.1.     Has\xc2\xa0the\xc2\xa0organization\xc2\xa0established\xc2\xa0an\xc2\xa0incident\xc2\xa0response\xc2\xa0and\xc2\xa0reporting\xc2\xa0program\xc2\xa0that\xc2\xa0is\xc2\xa0\n                  consistent\xc2\xa0with\xc2\xa0FISMA\xc2\xa0requirements,\xc2\xa0OMB\xc2\xa0policy,\xc2\xa0and\xc2\xa0applicable\xc2\xa0NIST\xc2\xa0guidelines?\xc2\xa0\xc2\xa0If\xc2\xa0\n                  yes,\xc2\xa0besides\xc2\xa0the\xc2\xa0improvement\xc2\xa0opportunities\xc2\xa0that\xc2\xa0may\xc2\xa0have\xc2\xa0been\xc2\xa0identified\xc2\xa0by\xc2\xa0the\xc2\xa0OIG,\xc2\xa0\n                  does\xc2\xa0the\xc2\xa0program\xc2\xa0include\xc2\xa0the\xc2\xa0following\xc2\xa0attributes:\xc2\xa0\n                  4.1.1. Documented\xc2\xa0policies\xc2\xa0and\xc2\xa0procedures\xc2\xa0for\xc2\xa0detecting,\xc2\xa0responding\xc2\xa0to,\xc2\xa0and\xc2\xa0\n                         reporting\xc2\xa0incidents\xc2\xa0(NIST\xc2\xa0800\xe2\x80\x9053:\xc2\xa0IR\xe2\x80\x901).\xc2\xa0(Base)\xc2\xa0\n                  4.1.2. Comprehensive\xc2\xa0analysis,\xc2\xa0validation,\xc2\xa0and\xc2\xa0documentation\xc2\xa0of\xc2\xa0incidents.\xc2\xa0(KFM)\xc2\xa0\n                  4.1.3. When\xc2\xa0applicable,\xc2\xa0reports\xc2\xa0to\xc2\xa0US\xe2\x80\x90CERT\xc2\xa0within\xc2\xa0established\xc2\xa0time\xc2\xa0frames\xc2\xa0\n                         (NIST\xc2\xa0800\xe2\x80\x9053,\xc2\xa0800\xe2\x80\x9061,\xc2\xa0and\xc2\xa0OMB\xc2\xa0M\xe2\x80\x9007\xe2\x80\x9016,\xc2\xa0M\xe2\x80\x9006\xe2\x80\x9019).\xc2\xa0(KFM)\xc2\xa0\n                  4.1.4. When\xc2\xa0applicable,\xc2\xa0reports\xc2\xa0to\xc2\xa0law\xc2\xa0enforcement\xc2\xa0within\xc2\xa0established\xc2\xa0time\xc2\xa0frames\xc2\xa0\n                         (SP\xc2\xa0800\xe2\x80\x9086).\xc2\xa0(KFM)\xc2\xa0\n                  4.1.5. Responds\xc2\xa0to\xc2\xa0and\xc2\xa0resolves\xc2\xa0incidents\xc2\xa0in\xc2\xa0a\xc2\xa0timely\xc2\xa0manner,\xc2\xa0as\xc2\xa0specified\xc2\xa0in\xc2\xa0\n                            organization\xc2\xa0policy\xc2\xa0or\xc2\xa0standards,\xc2\xa0to\xc2\xa0minimize\xc2\xa0further\xc2\xa0damage\xc2\xa0(NIST\xc2\xa0800\xe2\x80\x9053,\xc2\xa0\n                            800\xe2\x80\x9061,\xc2\xa0and\xc2\xa0OMB\xc2\xa0M\xe2\x80\x9007\xe2\x80\x9016,\xc2\xa0M\xe2\x80\x9006\xe2\x80\x9019).\xc2\xa0(KFM)\xc2\xa0\n                  4.1.6. Is\xc2\xa0capable\xc2\xa0of\xc2\xa0tracking\xc2\xa0and\xc2\xa0managing\xc2\xa0risks\xc2\xa0in\xc2\xa0a\xc2\xa0virtual/cloud\xc2\xa0environment,\xc2\xa0if\xc2\xa0\n                         applicable.\xc2\xa0(Base)\xc2\xa0\n                  4.1.7. Is\xc2\xa0capable\xc2\xa0of\xc2\xa0correlating\xc2\xa0incidents.\xc2\xa0(Base)\xc2\xa0\n                  4.1.8. There\xc2\xa0is\xc2\xa0sufficient\xc2\xa0incident\xc2\xa0monitoring\xc2\xa0and\xc2\xa0detection\xc2\xa0coverage\xc2\xa0in\xc2\xa0accordance\xc2\xa0\n                            with\xc2\xa0Government\xc2\xa0policies\xc2\xa0(NIST\xc2\xa0800\xe2\x80\x9053,\xc2\xa0800\xe2\x80\x9061,\xc2\xa0and\xc2\xa0OMB\xc2\xa0M\xe2\x80\x9007\xe2\x80\x9016,\xc2\xa0M\xe2\x80\x9006\xe2\x80\x9019).\xc2\xa0\n                            (Base)\xc2\xa0\n         4.2.     Please\xc2\xa0provide\xc2\xa0any\xc2\xa0additional\xc2\xa0information\xc2\xa0on\xc2\xa0the\xc2\xa0effectiveness\xc2\xa0of\xc2\xa0the\xc2\xa0organization\xe2\x80\x99s\xc2\xa0\n                  incident\xc2\xa0management\xc2\xa0program\xc2\xa0that\xc2\xa0was\xc2\xa0not\xc2\xa0noted\xc2\xa0in\xc2\xa0the\xc2\xa0questions\xc2\xa0above.\xc2\xa0\n\n\n\n2\n  This is done, of course, by establishing a process to assign attributes to a digital identity and by connecting an\nindividual to that identity. However, this would be pointless without subsequently using it to control access.\n                                                                                                                Page 20\n\x0c                   Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n                Information Security Management Act Report for Fiscal Year 2012\n\n\n\nPurpose\xc2\xa0and\xc2\xa0Use\xc2\xa0\xc2\xa0\nThese\xc2\xa0questions\xc2\xa0are\xc2\xa0being\xc2\xa0asked\xc2\xa0for\xc2\xa0the\xc2\xa0following\xc2\xa0reasons:\xc2\xa0\xc2\xa0\n     \xef\x82\xb7   Given\xc2\xa0real\xc2\xa0world\xc2\xa0realities,\xc2\xa0it\xc2\xa0is\xc2\xa0reasonable\xc2\xa0to\xc2\xa0expect\xc2\xa0that\xc2\xa0some\xc2\xa0attacks\xc2\xa0will\xc2\xa0succeed.\xc2\xa0\xc2\xa0\n         Organizations\xc2\xa0need\xc2\xa0to\xc2\xa0be\xc2\xa0able\xc2\xa0to\xc2\xa0detect\xc2\xa0those\xc2\xa0attacks.\xc2\xa0\xc2\xa0Ideally,\xc2\xa0organizations\xc2\xa0would\xc2\xa0defend\xc2\xa0\n         against\xc2\xa0those\xc2\xa0attacks\xc2\xa0in\xc2\xa0real\xc2\xa0time;\xc2\xa0but\xc2\xa0at\xc2\xa0a\xc2\xa0minimum,\xc2\xa0organizations\xc2\xa0are\xc2\xa0expected\xc2\xa0to\xc2\xa0determine\xc2\xa0\n         the\xc2\xa0kinds\xc2\xa0of\xc2\xa0attacks\xc2\xa0that\xc2\xa0are\xc2\xa0most\xc2\xa0successful.\xc2\xa0\xc2\xa0\n     \xef\x82\xb7   This\xc2\xa0allows\xc2\xa0the\xc2\xa0organization\xc2\xa0to\xc2\xa0use\xc2\xa0this\xc2\xa0information\xc2\xa0about\xc2\xa0successful\xc2\xa0attacks\xc2\xa0and\xc2\xa0their\xc2\xa0impact\xc2\xa0to\xc2\xa0\n         make\xc2\xa0informed\xc2\xa0risk\xe2\x80\x90based\xc2\xa0decisions\xc2\xa0about\xc2\xa0where\xc2\xa0it\xc2\xa0is\xc2\xa0most\xc2\xa0cost\xc2\xa0effective\xc2\xa0and\xc2\xa0essential\xc2\xa0to\xc2\xa0focus\xc2\xa0\n         security\xc2\xa0resources.\xc2\xa0\xc2\xa0\n\n5.       RISK\tMANAGEMENT\xc2\xa0\n         5.1.    Has\xc2\xa0the\xc2\xa0organization\xc2\xa0established\xc2\xa0a\xc2\xa0risk\xc2\xa0management\xc2\xa0program\xc2\xa0that\xc2\xa0is\xc2\xa0consistent\xc2\xa0with\xc2\xa0\n                 FISMA\xc2\xa0requirements,\xc2\xa0OMB\xc2\xa0policy,\xc2\xa0and\xc2\xa0applicable\xc2\xa0NIST\xc2\xa0guidelines?\xc2\xa0\xc2\xa0If\xc2\xa0yes,\xc2\xa0besides\xc2\xa0the\xc2\xa0\n                 improvement\xc2\xa0opportunities\xc2\xa0that\xc2\xa0may\xc2\xa0have\xc2\xa0been\xc2\xa0identified\xc2\xa0by\xc2\xa0the\xc2\xa0OIG,\xc2\xa0does\xc2\xa0the\xc2\xa0\n                 program\xc2\xa0include\xc2\xa0the\xc2\xa0following\xc2\xa0attributes:\xc2\xa0\n                 5.1.1. Documented\xc2\xa0and\xc2\xa0centrally\xc2\xa0accessible\xc2\xa0policies\xc2\xa0and\xc2\xa0procedures\xc2\xa0for\xc2\xa0risk\xc2\xa0\n                         management,\xc2\xa0including\xc2\xa0descriptions\xc2\xa0of\xc2\xa0the\xc2\xa0roles\xc2\xa0and\xc2\xa0responsibilities\xc2\xa0of\xc2\xa0\n                         participants\xc2\xa0in\xc2\xa0this\xc2\xa0process.\xc2\xa0(Base)\xc2\xa0\n                 5.1.2. Addresses\xc2\xa0risk\xc2\xa0from\xc2\xa0an\xc2\xa0organization\xc2\xa0perspective\xc2\xa0with\xc2\xa0the\xc2\xa0development\xc2\xa0of\xc2\xa0a\xc2\xa0\n                         comprehensive\xc2\xa0governance\xc2\xa0structure\xc2\xa0and\xc2\xa0organization\xe2\x80\x90wide\xc2\xa0risk\xc2\xa0management\xc2\xa0\n                         strategy\xc2\xa0as\xc2\xa0described\xc2\xa0in\xc2\xa0NIST\xc2\xa0800\xe2\x80\x9037,\xc2\xa0Rev.\xc2\xa01.\xc2\xa0(Base)\xc2\xa0\n                 5.1.3. Addresses\xc2\xa0risk\xc2\xa0from\xc2\xa0a\xc2\xa0mission\xc2\xa0and\xc2\xa0business\xc2\xa0process\xc2\xa0perspective\xc2\xa0and\xc2\xa0is\xc2\xa0guided\xc2\xa0by\xc2\xa0\n                         the\xc2\xa0risk\xc2\xa0decisions\xc2\xa0at\xc2\xa0the\xc2\xa0organizational\xc2\xa0perspective,\xc2\xa0as\xc2\xa0described\xc2\xa0in\xc2\xa0NIST\xc2\xa0800\xe2\x80\x9037,\xc2\xa0\n                         Rev.\xc2\xa01.\xc2\xa0(Base)\xc2\xa0\n                 5.1.4. Addresses\xc2\xa0risk\xc2\xa0from\xc2\xa0an\xc2\xa0information\xc2\xa0system\xc2\xa0perspective\xc2\xa0and\xc2\xa0is\xc2\xa0guided\xc2\xa0by\xc2\xa0the\xc2\xa0risk\xc2\xa0\n                         decisions\xc2\xa0at\xc2\xa0the\xc2\xa0organizational\xc2\xa0perspective\xc2\xa0and\xc2\xa0the\xc2\xa0mission\xc2\xa0and\xc2\xa0business\xc2\xa0\n                         perspective,\xc2\xa0as\xc2\xa0described\xc2\xa0in\xc2\xa0NIST\xc2\xa0800\xe2\x80\x9037,\xc2\xa0Rev.\xc2\xa01.\xc2\xa0(Base)\xc2\xa0\n                 5.1.5. Categorizes\xc2\xa0information\xc2\xa0systems\xc2\xa0in\xc2\xa0accordance\xc2\xa0with\xc2\xa0Government\xc2\xa0policies.\xc2\xa0\n                        (Base)\xc2\xa0\n                 5.1.6. Selects\xc2\xa0an\xc2\xa0appropriately\xc2\xa0tailored\xc2\xa0set\xc2\xa0of\xc2\xa0baseline\xc2\xa0security\xc2\xa0controls.\xc2\xa0(Base)\xc2\xa0\n                 5.1.7. Implements\xc2\xa0the\xc2\xa0tailored\xc2\xa0set\xc2\xa0of\xc2\xa0baseline\xc2\xa0security\xc2\xa0controls\xc2\xa0and\xc2\xa0describes\xc2\xa0how\xc2\xa0the\xc2\xa0\n                         controls\xc2\xa0are\xc2\xa0employed\xc2\xa0within\xc2\xa0the\xc2\xa0information\xc2\xa0system\xc2\xa0and\xc2\xa0its\xc2\xa0environment\xc2\xa0of\xc2\xa0\n                         operation.\xc2\xa0(Base)\xc2\xa0\n                 5.1.8. Assesses\xc2\xa0the\xc2\xa0security\xc2\xa0controls\xc2\xa0using\xc2\xa0appropriate\xc2\xa0assessment\xc2\xa0procedures\xc2\xa0to\xc2\xa0\n                         determine\xc2\xa0the\xc2\xa0extent\xc2\xa0to\xc2\xa0which\xc2\xa0the\xc2\xa0controls\xc2\xa0are\xc2\xa0implemented\xc2\xa0correctly,\xc2\xa0\n\n                                                                                                    Page 21\n\x0c                  Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n               Information Security Management Act Report for Fiscal Year 2012\n\n\n\n                        operating\xc2\xa0as\xc2\xa0intended,\xc2\xa0and\xc2\xa0producing\xc2\xa0the\xc2\xa0desired\xc2\xa0outcome\xc2\xa0with\xc2\xa0respect\xc2\xa0to\xc2\xa0\n                        meeting\xc2\xa0the\xc2\xa0security\xc2\xa0requirements\xc2\xa0for\xc2\xa0the\xc2\xa0system.\xc2\xa0(Base)\xc2\xa0\n                5.1.9. Authorizes\xc2\xa0information\xc2\xa0system\xc2\xa0operation\xc2\xa0based\xc2\xa0on\xc2\xa0a\xc2\xa0determination\xc2\xa0of\xc2\xa0the\xc2\xa0risk\xc2\xa0\n                        to\xc2\xa0organizational\xc2\xa0operations\xc2\xa0and\xc2\xa0assets,\xc2\xa0individuals,\xc2\xa0other\xc2\xa0organizations,\xc2\xa0and\xc2\xa0\n                        the\xc2\xa0Nation\xc2\xa0resulting\xc2\xa0from\xc2\xa0the\xc2\xa0operation\xc2\xa0of\xc2\xa0the\xc2\xa0information\xc2\xa0system\xc2\xa0and\xc2\xa0the\xc2\xa0\n                        decision\xc2\xa0that\xc2\xa0this\xc2\xa0risk\xc2\xa0is\xc2\xa0acceptable.\xc2\xa0(Base)\xc2\xa0\n                5.1.10. Ensures\xc2\xa0information\xc2\xa0security\xc2\xa0controls\xc2\xa0are\xc2\xa0monitored\xc2\xa0on\xc2\xa0an\xc2\xa0ongoing\xc2\xa0basis,\xc2\xa0\n                        including\xc2\xa0assessing\xc2\xa0control\xc2\xa0effectiveness,\xc2\xa0documenting\xc2\xa0changes\xc2\xa0to\xc2\xa0the\xc2\xa0system\xc2\xa0or\xc2\xa0\n                        its\xc2\xa0environment\xc2\xa0of\xc2\xa0operation,\xc2\xa0conducting\xc2\xa0security\xc2\xa0impact\xc2\xa0analyses\xc2\xa0of\xc2\xa0the\xc2\xa0\n                        associated\xc2\xa0changes,\xc2\xa0and\xc2\xa0reporting\xc2\xa0the\xc2\xa0security\xc2\xa0state\xc2\xa0of\xc2\xa0the\xc2\xa0system\xc2\xa0to\xc2\xa0designated\xc2\xa0\n                        organizational\xc2\xa0officials.\xc2\xa0(Base)\xc2\xa0\n                5.1.11. Information\xc2\xa0system\xc2\xa0specific\xc2\xa0risks\xc2\xa0(tactical),\xc2\xa0mission/business\xc2\xa0specific\xc2\xa0risks,\xc2\xa0and\xc2\xa0\n                        organizational\xc2\xa0level\xc2\xa0(strategic)\xc2\xa0risks\xc2\xa0are\xc2\xa0communicated\xc2\xa0to\xc2\xa0appropriate\xc2\xa0levels\xc2\xa0of\xc2\xa0\n                        the\xc2\xa0organization.\xc2\xa0(Base)\xc2\xa0\n                5.1.12. Senior\xc2\xa0officials\xc2\xa0are\xc2\xa0briefed\xc2\xa0on\xc2\xa0threat\xc2\xa0activity\xc2\xa0on\xc2\xa0a\xc2\xa0regular\xc2\xa0basis\xc2\xa0by\xc2\xa0appropriate\xc2\xa0\n                        personnel\xc2\xa0(e.g.,\xc2\xa0CISO).\xc2\xa0(Base)\xc2\xa0\n                5.1.13. Prescribes\xc2\xa0the\xc2\xa0active\xc2\xa0involvement\xc2\xa0of\xc2\xa0information\xc2\xa0system\xc2\xa0owners\xc2\xa0and\xc2\xa0common\xc2\xa0\n                        control\xc2\xa0providers,\xc2\xa0Chief\xc2\xa0Information\xc2\xa0Officers,\xc2\xa0senior\xc2\xa0information\xc2\xa0security\xc2\xa0\n                        officers,\xc2\xa0authorizing\xc2\xa0officials,\xc2\xa0and\xc2\xa0other\xc2\xa0roles\xc2\xa0as\xc2\xa0applicable\xc2\xa0in\xc2\xa0the\xc2\xa0ongoing\xc2\xa0\n                        management\xc2\xa0of\xc2\xa0information\xc2\xa0system\xe2\x80\x90related\xc2\xa0security\xc2\xa0risks.\xc2\xa0(Base)\xc2\xa0\n                5.1.14. Security\xc2\xa0authorization\xc2\xa0package\xc2\xa0contains\xc2\xa0system\xc2\xa0security\xc2\xa0plan,\xc2\xa0security\xc2\xa0\n                        assessment\xc2\xa0report,\xc2\xa0and\xc2\xa0POA&M\xc2\xa0in\xc2\xa0accordance\xc2\xa0with\xc2\xa0Government\xc2\xa0policies\xc2\xa0\n                        (NIST\xc2\xa0SP\xc2\xa0800\xe2\x80\x9018,\xc2\xa0SP\xc2\xa0800\xe2\x80\x9037).\xc2\xa0(Base)\xc2\xa0\n                5.1.15. Security\xc2\xa0authorization\xc2\xa0package\xc2\xa0contains\xc2\xa0accreditation\xc2\xa0boundaries\xc2\xa0for\xc2\xa0\n                        organization\xc2\xa0information\xc2\xa0systems\xc2\xa0defined\xc2\xa0in\xc2\xa0accordance\xc2\xa0with\xc2\xa0Government\xc2\xa0\n                        policies.\xc2\xa0(Base)\xc2\xa0\n        5.2.    Please\xc2\xa0provide\xc2\xa0any\xc2\xa0additional\xc2\xa0information\xc2\xa0on\xc2\xa0the\xc2\xa0effectiveness\xc2\xa0of\xc2\xa0the\xc2\xa0organization\xe2\x80\x99s\xc2\xa0risk\xc2\xa0\n                management\xc2\xa0program\xc2\xa0that\xc2\xa0was\xc2\xa0not\xc2\xa0noted\xc2\xa0in\xc2\xa0the\xc2\xa0questions\xc2\xa0above.\xc2\xa0\nPurpose\xc2\xa0and\xc2\xa0Use:\xc2\xa0\xc2\xa0\nThese\xc2\xa0questions\xc2\xa0are\xc2\xa0being\xc2\xa0asked\xc2\xa0for\xc2\xa0the\xc2\xa0following\xc2\xa0reasons:\xc2\xa0\xc2\xa0\n    \xef\x82\xb7   One\xc2\xa0goal\xc2\xa0in\xc2\xa0issuing\xc2\xa0these\xc2\xa0FISMA\xc2\xa0questions\xc2\xa0is\xc2\xa0to\xc2\xa0further\xc2\xa0empower\xc2\xa0OIGs\xc2\xa0to\xc2\xa0focus\xc2\xa0on\xc2\xa0how\xc2\xa0agencies\xc2\xa0\n        are\xc2\xa0evaluating\xc2\xa0risk\xc2\xa0and\xc2\xa0prioritizing\xc2\xa0security\xc2\xa0issues.\xc2\xa0\xc2\xa0\n    \xef\x82\xb7   OIGs\xc2\xa0are\xc2\xa0encouraged\xc2\xa0to\xc2\xa0use\xc2\xa0a\xc2\xa0type\xc2\xa0of\xc2\xa0risk\xc2\xa0analysis\xc2\xa0as\xc2\xa0specified\xc2\xa0in\xc2\xa0NIST\xc2\xa0800\xe2\x80\x9039\xc2\xa0to\xc2\xa0evaluate\xc2\xa0\n        findings\xc2\xa0and\xc2\xa0compare\xc2\xa0those\xc2\xa0to\xc2\xa0(1)\xc2\xa0existing\xc2\xa0organization\xc2\xa0priorities\xc2\xa0and\xc2\xa0(2)\xc2\xa0Administration\xc2\xa0\n\n\n                                                                                                    Page 22\n\x0c                   Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n                Information Security Management Act Report for Fiscal Year 2012\n\n\n\n         priorities\xc2\xa0and\xc2\xa0key\xc2\xa0FISMA\xc2\xa0metrics\xc2\xa0identified\xc2\xa0in\xc2\xa0the\xc2\xa0CIO\xc2\xa0metrics\xc2\xa0to\xc2\xa0determine\xc2\xa0areas\xc2\xa0of\xc2\xa0weakness\xc2\xa0\n         and\xc2\xa0highlight\xc2\xa0the\xc2\xa0significance\xc2\xa0of\xc2\xa0security\xc2\xa0issues.\xc2\xa0\xc2\xa0\n\n6.       SECURITY\tTRAINING\xc2\xa0\n         6.1.    Has\xc2\xa0the\xc2\xa0organization\xc2\xa0established\xc2\xa0a\xc2\xa0security\xc2\xa0training\xc2\xa0program\xc2\xa0that\xc2\xa0is\xc2\xa0consistent\xc2\xa0with\xc2\xa0\n                 FISMA\xc2\xa0requirements,\xc2\xa0OMB\xc2\xa0policy,\xc2\xa0and\xc2\xa0applicable\xc2\xa0NIST\xc2\xa0guidelines?\xc2\xa0\xc2\xa0If\xc2\xa0yes,\xc2\xa0besides\xc2\xa0the\xc2\xa0\n                 improvement\xc2\xa0opportunities\xc2\xa0that\xc2\xa0may\xc2\xa0have\xc2\xa0been\xc2\xa0identified\xc2\xa0by\xc2\xa0the\xc2\xa0OIG,\xc2\xa0does\xc2\xa0the\xc2\xa0\n                 program\xc2\xa0include\xc2\xa0the\xc2\xa0following\xc2\xa0attributes:\xc2\xa0\n                 6.1.1. Documented\xc2\xa0policies\xc2\xa0and\xc2\xa0procedures\xc2\xa0for\xc2\xa0security\xc2\xa0awareness\xc2\xa0training\xc2\xa0\n                        (NIST\xc2\xa0800\xe2\x80\x9053:\xc2\xa0AT\xe2\x80\x901).\xc2\xa0(Base)\xc2\xa0\n                 6.1.2. Documented\xc2\xa0policies\xc2\xa0and\xc2\xa0procedures\xc2\xa0for\xc2\xa0specialized\xc2\xa0training\xc2\xa0for\xc2\xa0users\xc2\xa0with\xc2\xa0\n                        significant\xc2\xa0information\xc2\xa0security\xc2\xa0responsibilities.\xc2\xa0(Base)\xc2\xa0\n                 6.1.3. Security\xc2\xa0training\xc2\xa0content\xc2\xa0based\xc2\xa0on\xc2\xa0the\xc2\xa0organization\xc2\xa0and\xc2\xa0roles,\xc2\xa0as\xc2\xa0specified\xc2\xa0in\xc2\xa0\n                        organization\xc2\xa0policy\xc2\xa0or\xc2\xa0standards.\xc2\xa0(Base)\xc2\xa0\n                 6.1.4. Identification\xc2\xa0and\xc2\xa0tracking\xc2\xa0of\xc2\xa0the\xc2\xa0status\xc2\xa0of\xc2\xa0security\xc2\xa0awareness\xc2\xa0training\xc2\xa0for\xc2\xa0all\xc2\xa0\n                         personnel\xc2\xa0(including\xc2\xa0employees,\xc2\xa0contractors,\xc2\xa0and\xc2\xa0other\xc2\xa0organization\xc2\xa0users)\xc2\xa0with\xc2\xa0\n                         access\xc2\xa0privileges\xc2\xa0that\xc2\xa0require\xc2\xa0security\xc2\xa0awareness\xc2\xa0training.\xc2\xa0(KFM)\xc2\xa0\n                 6.1.5. Identification\xc2\xa0and\xc2\xa0tracking\xc2\xa0of\xc2\xa0the\xc2\xa0status\xc2\xa0of\xc2\xa0specialized\xc2\xa0training\xc2\xa0for\xc2\xa0all\xc2\xa0personnel\xc2\xa0\n                         (including\xc2\xa0employees,\xc2\xa0contractors,\xc2\xa0and\xc2\xa0other\xc2\xa0organization\xc2\xa0users)\xc2\xa0with\xc2\xa0significant\xc2\xa0\n                         information\xc2\xa0security\xc2\xa0responsibilities\xc2\xa0that\xc2\xa0require\xc2\xa0specialized\xc2\xa0training.\xc2\xa0(KFM)\xc2\xa0\n                 6.1.6. Training\xc2\xa0material\xc2\xa0for\xc2\xa0security\xc2\xa0awareness\xc2\xa0training\xc2\xa0does\xc2\xa0not\xc2\xa0contain\xc2\xa0appropriate\xc2\xa0\n                        content\xc2\xa0for\xc2\xa0the\xc2\xa0organization\xc2\xa0(NIST\xc2\xa0SP\xc2\xa0800\xe2\x80\x9050,\xc2\xa0SP\xc2\xa0800\xe2\x80\x9053).\xc2\xa0(Base)\xc2\xa0\n         6.2.    Please\xc2\xa0provide\xc2\xa0any\xc2\xa0additional\xc2\xa0information\xc2\xa0on\xc2\xa0the\xc2\xa0effectiveness\xc2\xa0of\xc2\xa0the\xc2\xa0organization\xe2\x80\x99s\xc2\xa0\n                 security\xc2\xa0training\xc2\xa0program\xc2\xa0that\xc2\xa0was\xc2\xa0not\xc2\xa0noted\xc2\xa0in\xc2\xa0the\xc2\xa0questions\xc2\xa0above.\xc2\xa0\nPurpose\xc2\xa0and\xc2\xa0Use\xc2\xa0\xc2\xa0\nThese\xc2\xa0questions\xc2\xa0are\xc2\xa0being\xc2\xa0asked\xc2\xa0for\xc2\xa0the\xc2\xa0following\xc2\xa0reasons:\xc2\xa0\xc2\xa0\n     \xef\x82\xb7   Some\xc2\xa0of\xc2\xa0the\xc2\xa0most\xc2\xa0effective\xc2\xa0attacks\xc2\xa0on\xc2\xa0cyber\xe2\x80\x90networks\xc2\xa0world\xe2\x80\x90wide\xc2\xa0currently\xc2\xa0are\xc2\xa0directed\xc2\xa0at\xc2\xa0\n         exploiting\xc2\xa0user\xc2\xa0behavior.\xc2\xa0\xc2\xa0These\xc2\xa0include\xc2\xa0phishing\xc2\xa0attacks,\xc2\xa0social\xc2\xa0engineering\xc2\xa0to\xc2\xa0obtain\xc2\xa0\n         passwords,\xc2\xa0and\xc2\xa0introduction\xc2\xa0of\xc2\xa0malware\xc2\xa0via\xc2\xa0removable\xc2\xa0media.\xc2\xa0\xc2\xa0\n     \xef\x82\xb7   These\xc2\xa0threats\xc2\xa0are\xc2\xa0especially\xc2\xa0effective\xc2\xa0when\xc2\xa0directed\xc2\xa0at\xc2\xa0those\xc2\xa0with\xc2\xa0elevated\xc2\xa0network\xc2\xa0privileges\xc2\xa0\n         and/or\xc2\xa0other\xc2\xa0elevated\xc2\xa0cyber\xc2\xa0responsibilities.\xc2\xa0\xc2\xa0\n     \xef\x82\xb7   DHS\xc2\xa0has\xc2\xa0determined\xc2\xa0that\xc2\xa0some\xc2\xa0metrics\xc2\xa0in\xc2\xa0this\xc2\xa0section\xc2\xa0are\xc2\xa0prioritized\xc2\xa0as\xc2\xa0Key\xc2\xa0FISMA\xc2\xa0Metrics.\xc2\xa0\xc2\xa0\n     \xef\x82\xb7   Some\xc2\xa0questions\xc2\xa0in\xc2\xa0this\xc2\xa0section\xc2\xa0also\xc2\xa0contain\xc2\xa0baseline\xc2\xa0information\xc2\xa0to\xc2\xa0be\xc2\xa0used\xc2\xa0to\xc2\xa0assess\xc2\xa0future\xc2\xa0\n         improvement\xc2\xa0in\xc2\xa0performance.\xc2\xa0\xc2\xa0\n\n                                                                                                    Page 23\n\x0c                   Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n                Information Security Management Act Report for Fiscal Year 2012\n\n\n\n     \xef\x82\xb7   The\xc2\xa0metrics\xc2\xa0will\xc2\xa0be\xc2\xa0used\xc2\xa0to\xc2\xa0assess\xc2\xa0the\xc2\xa0extent\xc2\xa0to\xc2\xa0which\xc2\xa0organizations\xc2\xa0are\xc2\xa0providing\xc2\xa0adequate\xc2\xa0\n         training\xc2\xa0to\xc2\xa0address\xc2\xa0these\xc2\xa0attacks\xc2\xa0and\xc2\xa0threats.\xc2\xa0\xc2\xa0\n\n7.       PLAN\tOF\tACTION\t&\tMILESTONES\t(POA&M)\xc2\xa0\n         7.1.    Has\xc2\xa0the\xc2\xa0organization\xc2\xa0established\xc2\xa0a\xc2\xa0POA&M\xc2\xa0program\xc2\xa0that\xc2\xa0is\xc2\xa0consistent\xc2\xa0with\xc2\xa0FISMA\xc2\xa0\n                 requirements,\xc2\xa0OMB\xc2\xa0policy,\xc2\xa0and\xc2\xa0applicable\xc2\xa0NIST\xc2\xa0guidelines\xc2\xa0and\xc2\xa0tracks\xc2\xa0and\xc2\xa0monitors\xc2\xa0\n                 known\xc2\xa0information\xc2\xa0security\xc2\xa0weaknesses?\xc2\xa0\xc2\xa0If\xc2\xa0yes,\xc2\xa0besides\xc2\xa0the\xc2\xa0improvement\xc2\xa0opportunities\xc2\xa0\n                 that\xc2\xa0may\xc2\xa0have\xc2\xa0been\xc2\xa0identified\xc2\xa0by\xc2\xa0the\xc2\xa0OIG,\xc2\xa0does\xc2\xa0the\xc2\xa0program\xc2\xa0include\xc2\xa0the\xc2\xa0following\xc2\xa0\n                 attributes:\xc2\xa0\n                 7.1.1. Documented\xc2\xa0policies\xc2\xa0and\xc2\xa0procedures\xc2\xa0for\xc2\xa0managing\xc2\xa0IT\xc2\xa0security\xc2\xa0weaknesses\xc2\xa0\n                         discovered\xc2\xa0during\xc2\xa0security\xc2\xa0control\xc2\xa0assessments\xc2\xa0and\xc2\xa0requiring\xc2\xa0remediation.\xc2\xa0\n                         (Base)\xc2\xa0\n                 7.1.2. Tracks,\xc2\xa0prioritizes,\xc2\xa0and\xc2\xa0remediates\xc2\xa0weaknesses.\xc2\xa0(Base)\xc2\xa0\n                 7.1.3. Ensures\xc2\xa0remediation\xc2\xa0plans\xc2\xa0are\xc2\xa0effective\xc2\xa0for\xc2\xa0correcting\xc2\xa0weaknesses.\xc2\xa0(Base)\xc2\xa0\n                 7.1.4. Establishes\xc2\xa0and\xc2\xa0adheres\xc2\xa0to\xc2\xa0milestone\xc2\xa0remediation\xc2\xa0dates.\xc2\xa0(Base)\xc2\xa0\n                 7.1.5. Ensures\xc2\xa0resources\xc2\xa0are\xc2\xa0provided\xc2\xa0for\xc2\xa0correcting\xc2\xa0weaknesses.\xc2\xa0(Base)\xc2\xa0\n                 7.1.6. POA&Ms\xc2\xa0include\xc2\xa0security\xc2\xa0weaknesses\xc2\xa0discovered\xc2\xa0during\xc2\xa0assessments\xc2\xa0of\xc2\xa0security\xc2\xa0\n                         controls\xc2\xa0and\xc2\xa0requiring\xc2\xa0remediation.\xc2\xa0\xc2\xa0(Do\xc2\xa0not\xc2\xa0need\xc2\xa0to\xc2\xa0include\xc2\xa0security\xc2\xa0weakness\xc2\xa0\n                         due\xc2\xa0to\xc2\xa0a\xc2\xa0risk\xe2\x80\x90based\xc2\xa0decision\xc2\xa0to\xc2\xa0not\xc2\xa0implement\xc2\xa0a\xc2\xa0security\xc2\xa0control)\xc2\xa0\n                         (OMB\xc2\xa0M\xe2\x80\x9004\xe2\x80\x9025).\xc2\xa0(Base)\xc2\xa0\n                 7.1.7. Costs\xc2\xa0associated\xc2\xa0with\xc2\xa0remediating\xc2\xa0weaknesses\xc2\xa0are\xc2\xa0identified\xc2\xa0(NIST\xc2\xa0SP\xc2\xa0800\xe2\x80\x9053,\xc2\xa0\n                        Rev.\xc2\xa03,\xc2\xa0Control\xc2\xa0PM\xe2\x80\x903\xc2\xa0and\xc2\xa0OMB\xc2\xa0M\xe2\x80\x9004\xe2\x80\x9025).\xc2\xa0(Base)\xc2\xa0\n                 7.1.8. Program\xc2\xa0officials\xc2\xa0and\xc2\xa0contractors\xc2\xa0report\xc2\xa0progress\xc2\xa0on\xc2\xa0remediation\xc2\xa0to\xc2\xa0CIO\xc2\xa0on\xc2\xa0a\xc2\xa0\n                         regular\xc2\xa0basis,\xc2\xa0at\xc2\xa0least\xc2\xa0quarterly,\xc2\xa0and\xc2\xa0the\xc2\xa0CIO\xc2\xa0centrally\xc2\xa0tracks,\xc2\xa0maintains,\xc2\xa0and\xc2\xa0\n                         independently\xc2\xa0reviews/validates\xc2\xa0the\xc2\xa0POA&M\xc2\xa0activities\xc2\xa0at\xc2\xa0least\xc2\xa0quarterly\xc2\xa0\n                         (NIST\xc2\xa0SP\xc2\xa0800\xe2\x80\x9053,\xc2\xa0Rev.\xc2\xa03,\xc2\xa0Control\xc2\xa0CA\xe2\x80\x905,\xc2\xa0and\xc2\xa0OMB\xc2\xa0M\xe2\x80\x9004\xe2\x80\x9025).\xc2\xa0(Base)\xc2\xa0\n         7.2.    Please\xc2\xa0provide\xc2\xa0any\xc2\xa0additional\xc2\xa0information\xc2\xa0on\xc2\xa0the\xc2\xa0effectiveness\xc2\xa0of\xc2\xa0the\xc2\xa0organization\xe2\x80\x99s\xc2\xa0\n                 POA&M\xc2\xa0program\xc2\xa0that\xc2\xa0was\xc2\xa0not\xc2\xa0noted\xc2\xa0in\xc2\xa0the\xc2\xa0questions\xc2\xa0above.\xc2\xa0\nPurpose\xc2\xa0and\xc2\xa0Use\xc2\xa0\xc2\xa0\nThese\xc2\xa0questions\xc2\xa0are\xc2\xa0being\xc2\xa0asked\xc2\xa0for\xc2\xa0the\xc2\xa0following\xc2\xa0reasons:\xc2\xa0\xc2\xa0\n     \xef\x82\xb7   POA&M\xc2\xa0processes\xc2\xa0are\xc2\xa0important\xc2\xa0as\xc2\xa0part\xc2\xa0of\xc2\xa0the\xc2\xa0risk\xc2\xa0management\xc2\xa0process\xc2\xa0to\xc2\xa0track\xc2\xa0problems\xc2\xa0and\xc2\xa0\n         to\xc2\xa0decide\xc2\xa0which\xc2\xa0ones\xc2\xa0to\xc2\xa0address.\xc2\xa0\xc2\xa0\n\n\n\n\n                                                                                                    Page 24\n\x0c                   Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n                Information Security Management Act Report for Fiscal Year 2012\n\n\n\n\n8.       REMOTE\tACCESS\tMANAGEMENT\xc2\xa0\n         8.1.    Has\xc2\xa0the\xc2\xa0organization\xc2\xa0established\xc2\xa0a\xc2\xa0remote\xc2\xa0access\xc2\xa0program\xc2\xa0that\xc2\xa0is\xc2\xa0consistent\xc2\xa0with\xc2\xa0FISMA\xc2\xa0\n                 requirements,\xc2\xa0OMB\xc2\xa0policy,\xc2\xa0and\xc2\xa0applicable\xc2\xa0NIST\xc2\xa0guidelines?\xc2\xa0\xc2\xa0If\xc2\xa0yes,\xc2\xa0besides\xc2\xa0the\xc2\xa0\n                 improvement\xc2\xa0opportunities\xc2\xa0that\xc2\xa0may\xc2\xa0have\xc2\xa0been\xc2\xa0identified\xc2\xa0by\xc2\xa0the\xc2\xa0OIG,\xc2\xa0does\xc2\xa0the\xc2\xa0\n                 program\xc2\xa0include\xc2\xa0the\xc2\xa0following\xc2\xa0attributes:\xc2\xa0\n                 8.1.1. Documented\xc2\xa0policies\xc2\xa0and\xc2\xa0procedures\xc2\xa0for\xc2\xa0authorizing,\xc2\xa0monitoring,\xc2\xa0and\xc2\xa0\n                         controlling\xc2\xa0all\xc2\xa0methods\xc2\xa0of\xc2\xa0remote\xc2\xa0access\xc2\xa0(NIST\xc2\xa0800\xe2\x80\x9053:\xc2\xa0AC\xe2\x80\x901,\xc2\xa0AC\xe2\x80\x9017).\xc2\xa0(Base)\xc2\xa0\n                 8.1.2. Protects\xc2\xa0against\xc2\xa0unauthorized\xc2\xa0connections\xc2\xa0or\xc2\xa0subversion\xc2\xa0of\xc2\xa0authorized\xc2\xa0\n                        connections.\xc2\xa0(Base)\xc2\xa0\n                 8.1.3. Users\xc2\xa0are\xc2\xa0uniquely\xc2\xa0identified\xc2\xa0and\xc2\xa0authenticated\xc2\xa0for\xc2\xa0all\xc2\xa0access\xc2\xa0(NIST\xc2\xa0800\xe2\x80\x9046,\xc2\xa0\n                        Section\xc2\xa04.2,\xc2\xa0Section\xc2\xa05.1).\xc2\xa0(Base)\xc2\xa0\n                 8.1.4. Telecommuting\xc2\xa0policy\xc2\xa0is\xc2\xa0fully\xc2\xa0developed\xc2\xa0(NIST\xc2\xa0800\xe2\x80\x9046,\xc2\xa0Section\xc2\xa05.1).\xc2\xa0(Base)\xc2\xa0\n                 8.1.5. If\xc2\xa0applicable,\xc2\xa0multifactor\xc2\xa0authentication\xc2\xa0is\xc2\xa0required\xc2\xa0for\xc2\xa0remote\xc2\xa0access\xc2\xa0\n                        (NIST\xc2\xa0800\xe2\x80\x9046,\xc2\xa0Section\xc2\xa02.2,\xc2\xa0Section\xc2\xa03.3).\xc2\xa0(KFM)\xc2\xa0\n                 8.1.6. Authentication\xc2\xa0mechanisms\xc2\xa0meet\xc2\xa0NIST\xc2\xa0Special\xc2\xa0Publication\xc2\xa0800\xe2\x80\x9063\xc2\xa0guidance\xc2\xa0on\xc2\xa0\n                        remote\xc2\xa0electronic\xc2\xa0authentication,\xc2\xa0including\xc2\xa0strength\xc2\xa0mechanisms.\xc2\xa0(Base)\xc2\xa0\n                 8.1.7. Defines\xc2\xa0and\xc2\xa0implements\xc2\xa0encryption\xc2\xa0requirements\xc2\xa0for\xc2\xa0information\xc2\xa0transmitted\xc2\xa0\n                        across\xc2\xa0public\xc2\xa0networks.\xc2\xa0(KFM)\xc2\xa0\n                 8.1.8. Remote\xc2\xa0access\xc2\xa0sessions,\xc2\xa0in\xc2\xa0accordance\xc2\xa0to\xc2\xa0OMB\xc2\xa0M\xe2\x80\x9007\xe2\x80\x9016,\xc2\xa0are\xc2\xa0timed\xc2\xa0out\xc2\xa0after\xc2\xa0\n                        30\xc2\xa0minutes\xc2\xa0of\xc2\xa0inactivity,\xc2\xa0after\xc2\xa0which\xc2\xa0reauthentication\xc2\xa0is\xc2\xa0required.\xc2\xa0(Base)\xc2\xa0\n                 8.1.9. Lost\xc2\xa0or\xc2\xa0stolen\xc2\xa0devices\xc2\xa0are\xc2\xa0disabled\xc2\xa0and\xc2\xa0appropriately\xc2\xa0reported\xc2\xa0(NIST\xc2\xa0800\xe2\x80\x9046,\xc2\xa0\n                        Section\xc2\xa04.3,\xc2\xa0US\xe2\x80\x90CERT\xc2\xa0Incident\xc2\xa0Reporting\xc2\xa0Guidelines).\xc2\xa0(Base)\xc2\xa0\n                 8.1.10. Remote\xc2\xa0access\xc2\xa0rules\xc2\xa0of\xc2\xa0behavior\xc2\xa0are\xc2\xa0adequate\xc2\xa0in\xc2\xa0accordance\xc2\xa0with\xc2\xa0Government\xc2\xa0\n                         policies\xc2\xa0(NIST\xc2\xa0800\xe2\x80\x9053,\xc2\xa0PL\xe2\x80\x904).\xc2\xa0(Base)\xc2\xa0\n                 8.1.11. Remote\xc2\xa0access\xc2\xa0user\xc2\xa0agreements\xc2\xa0are\xc2\xa0adequate\xc2\xa0in\xc2\xa0accordance\xc2\xa0with\xc2\xa0Government\xc2\xa0\n                         policies\xc2\xa0(NIST\xc2\xa0800\xe2\x80\x9046,\xc2\xa0Section\xc2\xa05.1,\xc2\xa0NIST\xc2\xa0800\xe2\x80\x9053,\xc2\xa0PS\xe2\x80\x906).\xc2\xa0(Base)\xc2\xa0\n         8.2.    Please\xc2\xa0provide\xc2\xa0any\xc2\xa0additional\xc2\xa0information\xc2\xa0on\xc2\xa0the\xc2\xa0effectiveness\xc2\xa0of\xc2\xa0the\xc2\xa0organization\xe2\x80\x99s\xc2\xa0\n                 remote\xc2\xa0access\xc2\xa0management\xc2\xa0that\xc2\xa0was\xc2\xa0not\xc2\xa0noted\xc2\xa0in\xc2\xa0the\xc2\xa0questions\xc2\xa0above.\xc2\xa0\nPurpose\xc2\xa0and\xc2\xa0Use\xc2\xa0\xc2\xa0\nThese\xc2\xa0questions\xc2\xa0are\xc2\xa0being\xc2\xa0asked\xc2\xa0for\xc2\xa0the\xc2\xa0following\xc2\xa0reasons:\xc2\xa0\xc2\xa0\n     \xef\x82\xb7   Adequate\xc2\xa0control\xc2\xa0of\xc2\xa0remote\xc2\xa0connections\xc2\xa0is\xc2\xa0a\xc2\xa0critical\xc2\xa0part\xc2\xa0of\xc2\xa0boundary\xc2\xa0protection.\xc2\xa0\xc2\xa0\n\n\n\n                                                                                                   Page 25\n\x0c                   Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n                Information Security Management Act Report for Fiscal Year 2012\n\n\n\n     \xef\x82\xb7   Attackers\xc2\xa0exploit\xc2\xa0boundary\xc2\xa0systems\xc2\xa0on\xc2\xa0Internet\xe2\x80\x90accessible\xc2\xa0DMZ\xc2\xa0networks\xc2\xa0(and\xc2\xa0on\xc2\xa0internal\xc2\xa0\n         network\xc2\xa0boundaries)\xc2\xa0and\xc2\xa0then\xc2\xa0pivot\xc2\xa0to\xc2\xa0gain\xc2\xa0deeper\xc2\xa0access\xc2\xa0on\xc2\xa0internal\xc2\xa0networks.\xc2\xa0\xc2\xa0Responses\xc2\xa0to\xc2\xa0\n         the\xc2\xa0above\xc2\xa0questions\xc2\xa0will\xc2\xa0help\xc2\xa0agencies\xc2\xa0deter,\xc2\xa0detect,\xc2\xa0and\xc2\xa0defend\xc2\xa0against\xc2\xa0unauthorized\xc2\xa0network\xc2\xa0\n         connections/access\xc2\xa0to\xc2\xa0internal\xc2\xa0and\xc2\xa0external\xc2\xa0networks.\xc2\xa0\xc2\xa0\n     \xef\x82\xb7   Remote\xc2\xa0connections\xc2\xa0allow\xc2\xa0users\xc2\xa0to\xc2\xa0access\xc2\xa0the\xc2\xa0network\xc2\xa0without\xc2\xa0gaining\xc2\xa0physical\xc2\xa0access\xc2\xa0to\xc2\xa0\n         organization\xc2\xa0space\xc2\xa0and\xc2\xa0the\xc2\xa0computers\xc2\xa0hosted\xc2\xa0there.\xc2\xa0\xc2\xa0Moreover,\xc2\xa0the\xc2\xa0connections\xc2\xa0over\xc2\xa0the\xc2\xa0\n         Internet\xc2\xa0provide\xc2\xa0opportunities\xc2\xa0for\xc2\xa0compromise\xc2\xa0of\xc2\xa0information\xc2\xa0in\xc2\xa0transit.\xc2\xa0\xc2\xa0Because\xc2\xa0these\xc2\xa0\n         connections\xc2\xa0are\xc2\xa0beyond\xc2\xa0physical\xc2\xa0security\xc2\xa0controls,\xc2\xa0they\xc2\xa0need\xc2\xa0compensating\xc2\xa0controls\xc2\xa0to\xc2\xa0ensure\xc2\xa0\n         that\xc2\xa0only\xc2\xa0properly\xc2\xa0identified\xc2\xa0and\xc2\xa0authenticated\xc2\xa0users\xc2\xa0gain\xc2\xa0access\xc2\xa0and\xc2\xa0that\xc2\xa0the\xc2\xa0connections\xc2\xa0\n         prevent\xc2\xa0hijacking\xc2\xa0by\xc2\xa0others.\xc2\xa0\xc2\xa0\n\n9.       CONTINGENCY\tPLANNING\xc2\xa0\n         9.1.   Has\xc2\xa0the\xc2\xa0organization\xc2\xa0established\xc2\xa0an\xc2\xa0enterprise\xe2\x80\x90wide\xc2\xa0business\xc2\xa0continuity/disaster\xc2\xa0\n                recovery\xc2\xa0program\xc2\xa0that\xc2\xa0is\xc2\xa0consistent\xc2\xa0with\xc2\xa0FISMA\xc2\xa0requirements,\xc2\xa0OMB\xc2\xa0policy,\xc2\xa0and\xc2\xa0\n                applicable\xc2\xa0NIST\xc2\xa0guidelines?\xc2\xa0\xc2\xa0If\xc2\xa0yes,\xc2\xa0besides\xc2\xa0the\xc2\xa0improvement\xc2\xa0opportunities\xc2\xa0that\xc2\xa0may\xc2\xa0\n                have\xc2\xa0been\xc2\xa0identified\xc2\xa0by\xc2\xa0the\xc2\xa0OIG,\xc2\xa0does\xc2\xa0the\xc2\xa0program\xc2\xa0include\xc2\xa0the\xc2\xa0following\xc2\xa0attributes:\xc2\xa0\n                9.1.1. Documented\xc2\xa0business\xc2\xa0continuity\xc2\xa0and\xc2\xa0disaster\xc2\xa0recovery\xc2\xa0policy\xc2\xa0providing\xc2\xa0the\xc2\xa0\n                        authority\xc2\xa0and\xc2\xa0guidance\xc2\xa0necessary\xc2\xa0to\xc2\xa0reduce\xc2\xa0the\xc2\xa0impact\xc2\xa0of\xc2\xa0a\xc2\xa0disruptive\xc2\xa0event\xc2\xa0or\xc2\xa0\n                        disaster\xc2\xa0(NIST\xc2\xa0800\xe2\x80\x9053:\xc2\xa0CP\xe2\x80\x901).\xc2\xa0(Base)\xc2\xa0\n                9.1.2. The\xc2\xa0organization\xc2\xa0has\xc2\xa0performed\xc2\xa0an\xc2\xa0overall\xc2\xa0Business\xc2\xa0Impact\xc2\xa0Analysis\xc2\xa0(BIA)\xc2\xa0\n                       (NIST\xc2\xa0SP\xc2\xa0800\xe2\x80\x9034).\xc2\xa0(Base)\xc2\xa0\n                9.1.3. Development\xc2\xa0and\xc2\xa0documentation\xc2\xa0of\xc2\xa0division,\xc2\xa0component,\xc2\xa0and\xc2\xa0IT\xc2\xa0infrastructure\xc2\xa0\n                       recovery\xc2\xa0strategies,\xc2\xa0plans,\xc2\xa0and\xc2\xa0procedures\xc2\xa0(NIST\xc2\xa0SP\xc2\xa0800\xe2\x80\x9034).\xc2\xa0(Base)\xc2\xa0\n                9.1.4. Testing\xc2\xa0of\xc2\xa0system\xe2\x80\x90specific\xc2\xa0contingency\xc2\xa0plans.\xc2\xa0(Base)\xc2\xa0\n                9.1.5. The\xc2\xa0documented\xc2\xa0business\xc2\xa0continuity\xc2\xa0and\xc2\xa0disaster\xc2\xa0recovery\xc2\xa0plans\xc2\xa0are\xc2\xa0in\xc2\xa0place\xc2\xa0\n                       and\xc2\xa0can\xc2\xa0be\xc2\xa0implemented\xc2\xa0when\xc2\xa0necessary\xc2\xa0(FCD1,\xc2\xa0NIST\xc2\xa0SP\xc2\xa0800\xe2\x80\x9034).\xc2\xa0(Base)\xc2\xa0\n                9.1.6. Development\xc2\xa0and\xc2\xa0fully\xc2\xa0implementable\xc2\xa0of\xc2\xa0test,\xc2\xa0training,\xc2\xa0and\xc2\xa0exercise\xc2\xa0(TT&E)\xc2\xa0\n                       programs\xc2\xa0(FCD1,\xc2\xa0NIST\xc2\xa0SP\xc2\xa0800\xe2\x80\x9034,\xc2\xa0NIST\xc2\xa0800\xe2\x80\x9053).\xc2\xa0(Base)\xc2\xa0\n                9.1.7. Performance\xc2\xa0of\xc2\xa0regular\xc2\xa0ongoing\xc2\xa0testing\xc2\xa0or\xc2\xa0exercising\xc2\xa0of\xc2\xa0business\xc2\xa0continuity/\xc2\xa0\n                        disaster\xc2\xa0recovery\xc2\xa0plans\xc2\xa0to\xc2\xa0determine\xc2\xa0effectiveness\xc2\xa0and\xc2\xa0to\xc2\xa0maintain\xc2\xa0current\xc2\xa0\n                        plans.\xc2\xa0(Base)\xc2\xa0\n                9.1.8. After\xe2\x80\x90action\xc2\xa0report\xc2\xa0that\xc2\xa0addresses\xc2\xa0issues\xc2\xa0identified\xc2\xa0during\xc2\xa0contingency/disaster\xc2\xa0\n                       recovery\xc2\xa0exercises\xc2\xa0(FCD1,\xc2\xa0NIST\xc2\xa0SP\xc2\xa0800\xe2\x80\x9034).\xc2\xa0(Base)\xc2\xa0\n                9.1.9. Systems\xc2\xa0that\xc2\xa0have\xc2\xa0alternate\xc2\xa0processing\xc2\xa0sites\xc2\xa0(FCD1,\xc2\xa0NIST\xc2\xa0SP\xc2\xa0800\xe2\x80\x9034,\xc2\xa0\n                       NIST\xc2\xa0SP\xc2\xa0800\xe2\x80\x9053).\xc2\xa0(Base)\xc2\xa0\n\n                                                                                                Page 26\n\x0c                  Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n               Information Security Management Act Report for Fiscal Year 2012\n\n\n\n                9.1.10. Alternate\xc2\xa0processing\xc2\xa0sites\xc2\xa0are\xc2\xa0subject\xc2\xa0to\xc2\xa0the\xc2\xa0same\xc2\xa0risks\xc2\xa0as\xc2\xa0primary\xc2\xa0sites\xc2\xa0(FCD1,\xc2\xa0\n                        NIST\xc2\xa0SP\xc2\xa0800\xe2\x80\x9034,\xc2\xa0NIST\xc2\xa0SP\xc2\xa0800\xe2\x80\x9053).\xc2\xa0\n                9.1.11. Backups\xc2\xa0of\xc2\xa0information\xc2\xa0that\xc2\xa0are\xc2\xa0performed\xc2\xa0in\xc2\xa0a\xc2\xa0timely\xc2\xa0manner\xc2\xa0(FCD1,\xc2\xa0\n                        NIST\xc2\xa0SP\xc2\xa0800\xe2\x80\x9034,\xc2\xa0NIST\xc2\xa0SP\xc2\xa0800\xe2\x80\x9053).\xc2\xa0(Base)\xc2\xa0\n                9.1.12. Contingency\xc2\xa0planning\xc2\xa0that\xc2\xa0considers\xc2\xa0supply\xc2\xa0chain\xc2\xa0threats.\xc2\xa0(Base)\xc2\xa0\n        9.2.    Please\xc2\xa0provide\xc2\xa0any\xc2\xa0additional\xc2\xa0information\xc2\xa0on\xc2\xa0the\xc2\xa0effectiveness\xc2\xa0of\xc2\xa0the\xc2\xa0organization\xe2\x80\x99s\xc2\xa0\n                contingency\xc2\xa0planning\xc2\xa0program\xc2\xa0that\xc2\xa0was\xc2\xa0not\xc2\xa0noted\xc2\xa0in\xc2\xa0the\xc2\xa0questions\xc2\xa0above.\xc2\xa0\nPurpose\xc2\xa0and\xc2\xa0Use\xc2\xa0\xc2\xa0\nThese\xc2\xa0questions\xc2\xa0are\xc2\xa0being\xc2\xa0asked\xc2\xa0for\xc2\xa0the\xc2\xa0following\xc2\xa0reasons:\xc2\xa0\xc2\xa0\n    \xef\x82\xb7   Contingency\xc2\xa0planning\xc2\xa0deals\xc2\xa0with\xc2\xa0risks\xc2\xa0which\xc2\xa0occur\xc2\xa0rarely.\xc2\xa0\xc2\xa0As\xc2\xa0such,\xc2\xa0there\xc2\xa0is\xc2\xa0a\xc2\xa0temptation\xc2\xa0to\xc2\xa0\n        ignore\xc2\xa0these\xc2\xa0risks.\xc2\xa0\xc2\xa0\n    \xef\x82\xb7   The\xc2\xa0purpose\xc2\xa0of\xc2\xa0this\xc2\xa0section\xc2\xa0is\xc2\xa0to\xc2\xa0determine\xc2\xa0if\xc2\xa0the\xc2\xa0organization\xc2\xa0is\xc2\xa0giving\xc2\xa0adequate\xc2\xa0attention\xc2\xa0to\xc2\xa0\n        the\xc2\xa0rare\xc2\xa0events\xc2\xa0which\xc2\xa0have\xc2\xa0such\xc2\xa0significant\xc2\xa0consequences\xc2\xa0that\xc2\xa0they\xc2\xa0become\xc2\xa0first\xe2\x80\x90priority\xc2\xa0risks.\xc2\xa0\xc2\xa0\n\n10.     CONTRACTOR\tSYSTEMS\xc2\xa0\n        10.1. Has\xc2\xa0the\xc2\xa0organization\xc2\xa0established\xc2\xa0a\xc2\xa0program\xc2\xa0to\xc2\xa0oversee\xc2\xa0systems\xc2\xa0operated\xc2\xa0on\xc2\xa0its\xc2\xa0behalf\xc2\xa0\n                by\xc2\xa0contractors\xc2\xa0or\xc2\xa0other\xc2\xa0entities,\xc2\xa0including\xc2\xa0organization\xc2\xa0systems\xc2\xa0and\xc2\xa0services\xc2\xa0residing\xc2\xa0in\xc2\xa0\n                the\xc2\xa0cloud\xc2\xa0external\xc2\xa0to\xc2\xa0the\xc2\xa0organization?\xc2\xa0\xc2\xa0If\xc2\xa0yes,\xc2\xa0besides\xc2\xa0the\xc2\xa0improvement\xc2\xa0opportunities\xc2\xa0\n                that\xc2\xa0may\xc2\xa0have\xc2\xa0been\xc2\xa0identified\xc2\xa0by\xc2\xa0the\xc2\xa0OIG,\xc2\xa0does\xc2\xa0the\xc2\xa0program\xc2\xa0includes\xc2\xa0the\xc2\xa0following\xc2\xa0\n                attributes:\xc2\xa0\n                10.1.1. Documented\xc2\xa0policies\xc2\xa0and\xc2\xa0procedures\xc2\xa0for\xc2\xa0information\xc2\xa0security\xc2\xa0oversight\xc2\xa0of\xc2\xa0\n                        systems\xc2\xa0operated\xc2\xa0on\xc2\xa0the\xc2\xa0organization\xe2\x80\x99s\xc2\xa0behalf\xc2\xa0by\xc2\xa0contractors\xc2\xa0or\xc2\xa0other\xc2\xa0entities,\xc2\xa0\n                        including\xc2\xa0organization\xc2\xa0systems\xc2\xa0and\xc2\xa0services\xc2\xa0residing\xc2\xa0in\xc2\xa0public\xc2\xa0cloud.\xc2\xa0(Base)\xc2\xa0\n                10.1.2. The\xc2\xa0organization\xc2\xa0obtains\xc2\xa0sufficient\xc2\xa0assurance\xc2\xa0that\xc2\xa0security\xc2\xa0controls\xc2\xa0of\xc2\xa0such\xc2\xa0\n                        systems\xc2\xa0and\xc2\xa0services\xc2\xa0are\xc2\xa0effectively\xc2\xa0implemented\xc2\xa0and\xc2\xa0comply\xc2\xa0with\xc2\xa0Federal\xc2\xa0and\xc2\xa0\n                        organization\xc2\xa0guidelines.\xc2\xa0(Base)\xc2\xa0\n                10.1.3. A\xc2\xa0complete\xc2\xa0inventory\xc2\xa0of\xc2\xa0systems\xc2\xa0operated\xc2\xa0on\xc2\xa0the\xc2\xa0organization\xe2\x80\x99s\xc2\xa0behalf\xc2\xa0by\xc2\xa0\n                        contractors\xc2\xa0or\xc2\xa0other\xc2\xa0entities,\xc2\xa0including\xc2\xa0organization\xc2\xa0systems\xc2\xa0and\xc2\xa0services\xc2\xa0\n                        residing\xc2\xa0in\xc2\xa0public\xc2\xa0cloud.\xc2\xa0(Base)\xc2\xa0\n                10.1.4. The\xc2\xa0inventory\xc2\xa0identifies\xc2\xa0interfaces\xc2\xa0between\xc2\xa0these\xc2\xa0systems\xc2\xa0and\xc2\xa0\n                        organization\xe2\x80\x90operated\xc2\xa0systems\xc2\xa0(NIST\xc2\xa0800\xe2\x80\x9053:\xc2\xa0PM\xe2\x80\x905).\xc2\xa0(Base)\xc2\xa0\n                10.1.5. The\xc2\xa0organization\xc2\xa0requires\xc2\xa0appropriate\xc2\xa0agreements\xc2\xa0(e.g.,\xc2\xa0MOUs,\xc2\xa0Interconnection\xc2\xa0\n                        Security\xc2\xa0Agreements,\xc2\xa0contracts,\xc2\xa0etc.)\xc2\xa0for\xc2\xa0interfaces\xc2\xa0between\xc2\xa0these\xc2\xa0systems\xc2\xa0and\xc2\xa0\n                        those\xc2\xa0that\xc2\xa0it\xc2\xa0owns\xc2\xa0and\xc2\xa0operates.\xc2\xa0(Base)\xc2\xa0\n\n                                                                                                  Page 27\n\x0c                 Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n              Information Security Management Act Report for Fiscal Year 2012\n\n\n\n               10.1.6. The\xc2\xa0inventory\xc2\xa0of\xc2\xa0contractor\xc2\xa0systems\xc2\xa0is\xc2\xa0updated\xc2\xa0at\xc2\xa0least\xc2\xa0annually.\xc2\xa0(Base)\xc2\xa0\n               10.1.7. Systems\xc2\xa0that\xc2\xa0are\xc2\xa0owned\xc2\xa0or\xc2\xa0operated\xc2\xa0by\xc2\xa0contractors\xc2\xa0or\xc2\xa0entities,\xc2\xa0including\xc2\xa0\n                       organization\xc2\xa0systems\xc2\xa0and\xc2\xa0services\xc2\xa0residing\xc2\xa0in\xc2\xa0public\xc2\xa0cloud,\xc2\xa0are\xc2\xa0compliant\xc2\xa0with\xc2\xa0\n                       FISMA\xc2\xa0requirements,\xc2\xa0OMB\xc2\xa0policy,\xc2\xa0and\xc2\xa0applicable\xc2\xa0NIST\xc2\xa0guidelines.\xc2\xa0(Base)\xc2\xa0\n       10.2. Please\xc2\xa0provide\xc2\xa0any\xc2\xa0additional\xc2\xa0information\xc2\xa0on\xc2\xa0the\xc2\xa0effectiveness\xc2\xa0of\xc2\xa0the\xc2\xa0organization\xe2\x80\x99s\xc2\xa0\n             contractor\xc2\xa0systems\xc2\xa0program\xc2\xa0that\xc2\xa0was\xc2\xa0not\xc2\xa0noted\xc2\xa0in\xc2\xa0the\xc2\xa0questions\xc2\xa0above.\xc2\xa0\nPurpose\xc2\xa0and\xc2\xa0Use\xc2\xa0\xc2\xa0\nThese\xc2\xa0questions\xc2\xa0are\xc2\xa0being\xc2\xa0asked\xc2\xa0for\xc2\xa0the\xc2\xa0following\xc2\xa0reasons:\xc2\xa0\xc2\xa0\n   \xef\x82\xb7   These\xc2\xa0questions\xc2\xa0are\xc2\xa0being\xc2\xa0asked\xc2\xa0because\xc2\xa0in\xc2\xa0the\xc2\xa0past\xc2\xa0some\xc2\xa0Federal\xc2\xa0agencies\xc2\xa0tended\xc2\xa0to\xc2\xa0assume\xc2\xa0\n       that\xc2\xa0they\xc2\xa0were\xc2\xa0not\xc2\xa0responsible\xc2\xa0for\xc2\xa0managing\xc2\xa0the\xc2\xa0risk\xc2\xa0of\xc2\xa0contractor\xc2\xa0systems.\xc2\xa0\xc2\xa0\n   \xef\x82\xb7   The\xc2\xa0key\xc2\xa0question\xc2\xa0is\xc2\xa0\xe2\x80\x9cAre\xc2\xa0these\xc2\xa0contractor\xe2\x80\x90operated\xc2\xa0systems\xc2\xa0being\xc2\xa0managed\xc2\xa0to\xc2\xa0ensure\xc2\xa0that\xc2\xa0they\xc2\xa0\n       have\xc2\xa0adequate\xc2\xa0security\xc2\xa0and\xc2\xa0can\xc2\xa0the\xc2\xa0DAA\xc2\xa0make\xc2\xa0an\xc2\xa0informed\xc2\xa0decision\xc2\xa0about\xc2\xa0whether\xc2\xa0or\xc2\xa0not\xc2\xa0to\xc2\xa0\n       accept\xc2\xa0any\xc2\xa0residual\xc2\xa0risk?\xe2\x80\x9d\xc2\xa0\xc2\xa0\n\n11.    SECURITY\tCAPITAL\tPLANNING\xc2\xa0\n       11.1. Has\xc2\xa0the\xc2\xa0organization\xc2\xa0established\xc2\xa0a\xc2\xa0security\xc2\xa0capital\xc2\xa0planning\xc2\xa0and\xc2\xa0investment\xc2\xa0program\xc2\xa0for\xc2\xa0\n               information\xc2\xa0security?\xc2\xa0\xc2\xa0If\xc2\xa0yes,\xc2\xa0besides\xc2\xa0the\xc2\xa0improvement\xc2\xa0opportunities\xc2\xa0that\xc2\xa0may\xc2\xa0have\xc2\xa0\n               been\xc2\xa0identified\xc2\xa0by\xc2\xa0the\xc2\xa0OIG,\xc2\xa0does\xc2\xa0the\xc2\xa0program\xc2\xa0include\xc2\xa0the\xc2\xa0following\xc2\xa0attributes:\xc2\xa0\n               11.1.1. Documented\xc2\xa0policies\xc2\xa0and\xc2\xa0procedures\xc2\xa0to\xc2\xa0address\xc2\xa0information\xc2\xa0security\xc2\xa0in\xc2\xa0the\xc2\xa0\n                       capital\xc2\xa0planning\xc2\xa0and\xc2\xa0investment\xc2\xa0control\xc2\xa0(CPIC)\xc2\xa0process.\xc2\xa0(Base)\xc2\xa0\n               11.1.2. Includes\xc2\xa0information\xc2\xa0security\xc2\xa0requirements\xc2\xa0as\xc2\xa0part\xc2\xa0of\xc2\xa0the\xc2\xa0capital\xc2\xa0planning\xc2\xa0and\xc2\xa0\n                       investment\xc2\xa0process.\xc2\xa0(Base)\xc2\xa0\n               11.1.3. Establishes\xc2\xa0a\xc2\xa0discrete\xc2\xa0line\xc2\xa0item\xc2\xa0for\xc2\xa0information\xc2\xa0security\xc2\xa0in\xc2\xa0organizational\xc2\xa0\n                       programming\xc2\xa0and\xc2\xa0documentation\xc2\xa0(NIST\xc2\xa0800\xe2\x80\x9053:\xc2\xa0SA\xe2\x80\x902).\xc2\xa0(Base)\xc2\xa0\n               11.1.4. Employs\xc2\xa0a\xc2\xa0business\xc2\xa0case/Exhibit\xc2\xa0300/Exhibit\xc2\xa053\xc2\xa0to\xc2\xa0record\xc2\xa0the\xc2\xa0information\xc2\xa0\n                       security\xc2\xa0resources\xc2\xa0required\xc2\xa0(NIST\xc2\xa0800\xe2\x80\x9053:\xc2\xa0PM\xe2\x80\x903).\xc2\xa0(Base)\xc2\xa0\n               11.1.5. Ensures\xc2\xa0that\xc2\xa0information\xc2\xa0security\xc2\xa0resources\xc2\xa0are\xc2\xa0available\xc2\xa0for\xc2\xa0expenditure\xc2\xa0as\xc2\xa0\n                       planned.\xc2\xa0(Base)\xc2\xa0\n       11.2. Please\xc2\xa0provide\xc2\xa0any\xc2\xa0additional\xc2\xa0information\xc2\xa0on\xc2\xa0the\xc2\xa0effectiveness\xc2\xa0of\xc2\xa0the\xc2\xa0organization\xe2\x80\x99s\xc2\xa0\n             security\xc2\xa0capital\xc2\xa0planning\xc2\xa0program\xc2\xa0that\xc2\xa0was\xc2\xa0not\xc2\xa0noted\xc2\xa0in\xc2\xa0the\xc2\xa0questions\xc2\xa0above.\xc2\xa0\n\n\n\n\n                                                                                                   Page 28\n\x0c                 Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n              Information Security Management Act Report for Fiscal Year 2012\n\n\n\nPurpose\xc2\xa0and\xc2\xa0Use\xc2\xa0\xc2\xa0\nThese\xc2\xa0questions\xc2\xa0are\xc2\xa0being\xc2\xa0asked\xc2\xa0for\xc2\xa0the\xc2\xa0following\xc2\xa0reasons:\xc2\xa0\xc2\xa0\n   \xef\x82\xb7   One\xc2\xa0key\xc2\xa0area\xc2\xa0of\xc2\xa0capital\xc2\xa0investment\xc2\xa0in\xc2\xa0the\xc2\xa0next\xc2\xa0few\xc2\xa0years\xc2\xa0will\xc2\xa0be\xc2\xa0investments\xc2\xa0in\xc2\xa0the\xc2\xa0tools\xc2\xa0and\xc2\xa0\n       other\xc2\xa0infrastructure\xc2\xa0needed\xc2\xa0for\xc2\xa0adequate\xc2\xa0continuous\xc2\xa0monitoring.\xc2\xa0\xc2\xa0Fortunately,\xc2\xa0most\xc2\xa0of\xc2\xa0these\xc2\xa0\n       tools\xc2\xa0also\xc2\xa0support\xc2\xa0(and\xc2\xa0are\xc2\xa0needed\xc2\xa0for)\xc2\xa0good\xc2\xa0network\xc2\xa0and\xc2\xa0system\xc2\xa0operations.\xc2\xa0\xc2\xa0Thus,\xc2\xa0many\xc2\xa0of\xc2\xa0\n       these\xc2\xa0tools\xc2\xa0may\xc2\xa0already\xc2\xa0be\xc2\xa0in\xc2\xa0place.\xc2\xa0\xc2\xa0\n   \xef\x82\xb7   This\xc2\xa0section\xc2\xa0might\xc2\xa0equally\xc2\xa0consider\xc2\xa0operational\xc2\xa0budgeting.\xc2\xa0\xc2\xa0Clearly,\xc2\xa0good\xc2\xa0security\xc2\xa0requires\xc2\xa0a\xc2\xa0\n       wise\xc2\xa0investment\xc2\xa0of\xc2\xa0operational\xc2\xa0resources,\xc2\xa0not\xc2\xa0just\xc2\xa0capital\xc2\xa0ones.\xc2\xa0\n\n\n\n\n                                                                                                Page 29\n\x0c                Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n             Information Security Management Act Report for Fiscal Year 2012\n\n\n\n                                                                              Appendix II\n\n                 Major Contributors to This Report\n\nAlan R. Duncan, Assistant Inspector General for Audit (Security and Information Technology\nServices)\nKent Sagara, Director\nJody Kitazono, Audit Manager\nBret Hunter, Senior Auditor\nMary Jankowski, Senior Auditor\nLouis Lee, Senior Auditor\nMidori Ohno, Senior Auditor\nEsther Wilson, Senior Auditor\nLinda Nethery, Information Technology Specialist\n\n\n\n\n                                                                                     Page 30\n\x0c               Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n            Information Security Management Act Report for Fiscal Year 2012\n\n\n\n                                                                 Appendix III\n\n                       Report Distribution List\n\nCommissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Operations Support OS\nChief Technology Officer OS:CTO\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Control OS:CFO:CPIC:IC\nAudit Liaison: Director, Risk Management Division OS:CTO:SP:RM\n\n\n\n\n                                                                       Page 31\n\x0c              Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n           Information Security Management Act Report for Fiscal Year 2012\n\n\n\n                                                                          Appendix IV\n\n Treasury Inspector General for Tax Administration\n  Information Technology Security-Related Reports\nIssued During the Fiscal Year 2012 Evaluation Period\n\n 1. Treasury Inspector General for Tax Administration (TIGTA), Ref. No. 2011-20-076,\n    The IRS2GO Smartphone Application Is Secure, but Development Process Improvements\n    Are Needed (Aug. 2011).\n 2. TIGTA, Ref. No. 2011-20-088, The Modernized e-File Release 6.2 Included\n    Enhancements, but Improvements Are Needed for Tracking Performance Issues and\n    Security Weaknesses (Sept. 2011).\n 3. TIGTA, Ref. No. 2011-20-116, Treasury Inspector General for Tax Administration \xe2\x80\x93\n    Federal Information Security Management Act Report for Fiscal Year 2011 (Sept. 2011).\n 4. TIGTA, Ref. No. 2011-20-111, Continued Centralization of the Windows Environment\n    Would Improve Administration and Security Efficiencies (Sept. 2011).\n 5. TIGTA, Ref. No. 2011-20-101, Security Controls Over Wireless Technology Were\n    Generally in Place; However, Further Actions Can Improve Security (Sept. 2011).\n 6. TIGTA, Ref. No. 2011-20-099, The Mainframe Databases Reviewed Met Security\n    Requirements; However, Automated Security Scans Were Not Performed (Sept. 2011).\n 7. TIGTA, Ref. No. 2012-20-019, The Computer Security Incident Response Center Is\n    Effectively Performing Most of Its Responsibilities, but Further Improvements Are\n    Needed (Mar. 2012).\n 8. TIGTA, Ref. No. 2012-20-041, Disaster Recovery Testing Is Being Adequately\n    Performed, but Problem Reporting and Tracking Can Be Improved (May 2012).\n 9. TIGTA, Ref. No. 2012-20-063, Enterprise-Level Oversight Is Needed to Ensure\n    Adherence to Windows Server Security Policies (June 2012).\n\n\n\n\n                                                                                   Page 32\n\x0c                Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n             Information Security Management Act Report for Fiscal Year 2012\n\n\n\n                                                                               Appendix V\n\n                           Glossary of Terms\n\nTerm                      Definition\nAccreditation (or         Includes all components of an information system to be authorized\nAuthorization) Boundary   for operation by an authorizing official and excludes separately\n                          authorized systems to which the information system is connected.\nAdministrative Account    A user account with full privileges on a computer.\nAuthentication            Verifying the identity of a user, process, or device, often as a\n                          prerequisite to allowing access to resources in an information\n                          system.\nBoundary Protection       Monitoring and control of communications at the external\n                          boundary of an information system to prevent and detect malicious\n                          and other unauthorized communication through the use of\n                          boundary protection devices.\nBoundary System           Physical or logical perimeter of a system.\nCloud (Computing)         The use of computing resources (hardware and software) that are\nEnvironment               delivered as a service over a network (typically the Internet). The\n                          name comes from the use of a cloud-shaped symbol as an\n                          abstraction for the complex infrastructure it contains in system\n                          diagrams.\nConfiguration Baseline    A set of specifications for a system, or a configuration item within\n                          a system, that has been formally reviewed and agreed on at a given\n                          point in time, and that can be changed only through change control\n                          procedures. The baseline configuration is used as a basis for\n                          future builds, releases, and/or changes.\nConfiguration Items       Assets, service components, or other items that are (or will be)\n                          controlled by configuration management.\n\n\n\n\n                                                                                       Page 33\n\x0c                 Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n              Information Security Management Act Report for Fiscal Year 2012\n\n\n\n\nTerm                        Definition\nConfiguration Management A collection of activities focused on establishing and maintaining\n                         the integrity of products and systems through control of the\n                         processes for initializing, changing, and monitoring the\n                         configurations of those products and systems throughout the\n                         system development life cycle.\nDemilitarized Zone          A network segment inserted as a \xe2\x80\x9cneutral zone\xe2\x80\x9d between an\n                            organization\xe2\x80\x99s private network and the Internet.\nDevice Identification and   The information system uniquely identifies and authenticates\nAuthentication              before establishing a connection. See Authentication.\nFederal Desktop Core        OMB-mandated set of security configurations for all Federal\nConfiguration               workstation and laptop devices that run either Windows XP or\n                            Vista.\nFirewall                    A gateway that limits access between networks in accordance with\n                            local security policy.\nGeneral Support System      An interconnected set of information resources under the same\n                            direct management control that shares common functionality. It\n                            normally includes hardware, software, information, data,\n                            applications, communications, and people.\nIdentity and Access         Addresses the mission-critical need to ensure appropriate access to\nManagement                  resources across increasingly heterogeneous technology\n                            environments and to meet increasingly rigorous compliance\n                            requirements.\nInternal Revenue Manual     The IRS publication of its information security policies,\n                            guidelines, standards, and procedures in order for IRS divisions\n                            and offices to carry out their respective responsibilities in\n                            information security.\nInternet Protocol           Standard protocol for transmission of data from source to\n                            destinations in packet-switched communications networks and\n                            interconnected systems of such networks.\nLeast Privilege             The security objective of granting users only those accesses they\n                            need to perform their official duties.\n\n\n\n\n                                                                                       Page 34\n\x0c                 Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n              Information Security Management Act Report for Fiscal Year 2012\n\n\n\n\nTerm                         Definition\nLogical Access               Controls used to determine the electronic information and systems\n                             that users and other systems may access and the actions that may\n                             be performed to the information accessed.\nMalware                      A program that is inserted into a system, usually covertly, with the\n                             intent of compromising the confidentiality, integrity, or availability\n                             of the computer\xe2\x80\x99s data, applications, or operating system.\nMilestone                    The \xe2\x80\x9cgo/no-go\xe2\x80\x9d decision point in a project; it is sometimes\n                             associated with funding approval to proceed.\nMultifactor Authentication   Authentication using two or more factors to achieve\n                             authentication. Factors include: (1) something you know (e.g.,\n                             password/PIN); (2) something you have (e.g., cryptographic\n                             identification device, token); or (3) something you are (e.g.,\n                             physical characteristic).\nnCircle                      An automated tool that scans computers for vulnerabilities related\n                             to network exploits and renders a report of findings.\nOperating System             A set of software that manages computer hardware resources and\n                             provides common services for computer programs. The operating\n                             system is a vital component of the system software in a computer\n                             system. Application programs require an operating system to\n                             function.\nPatch Management             The systematic notification, identification, deployment,\n                             installation, and verification of operating system and application\n                             software code revisions. These revisions are known as patches, hot\n                             fixes, and service packs.\nPhishing (Attack)            Tricking individuals into disclosing sensitive personal information\n                             through deceptive computer-based means.\nPlaintext                    Intelligible data that has meaning and can be understood without\n                             the application of decryption.\nPlan of Action and           A document that identifies tasks needing to be accomplished. It\nMilestones                   details resources required to accomplish the elements of the plan,\n                             any milestones in meeting the tasks, and scheduled completion\n                             dates for the milestones.\n\n\n\n                                                                                           Page 35\n\x0c                 Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n              Information Security Management Act Report for Fiscal Year 2012\n\n\n\n\nTerm                        Definition\nPolicy Checker              An automated tool that reads the security settings of computers\n                            and logs any noncompliant setting to text files.\nPrivileged Account          Individuals who have access to set \xe2\x80\x9caccess rights\xe2\x80\x9d for users on a\n                            given system. Sometimes referred to as system or network\n                            administrative accounts.\nRemote Access               Access to an organizational information system by a user (or an\n                            information system acting on behalf of a user) communicating\n                            through an external network (e.g., the Internet).\nRogue Computer              An unauthorized computer on a network.\nSecurity Capital Planning   The integration of information technology security and capital\n                            planning processes to ensure that agency resources are protected\n                            and risk is effectively managed.\nSeparation of Duties        As a security principle, its primary objective is the prevention of\n                            fraud and errors. This objective is achieved by disseminating the\n                            tasks and associated privileges for a specific business process\n                            among multiple users.\nSingle-factor               Authentication using one factor (e.g., a username or password) to\nAuthentication              achieve authentication. See Authentication.\nSingle Sign-On              Provides the capability to authenticate once and be subsequently\n                            and automatically authenticated when accessing various target\n                            systems. It eliminates the need to separately authenticate and sign\n                            on to individual applications and systems, essentially serving as a\n                            user surrogate between client workstations and target systems.\nSocial Engineering          An attempt to trick someone into revealing information (e.g., a\n                            password) that can be used to attack systems or networks.\nTwo-factor Authentication   Authentication using two factors to achieve authentication. See\n                            Multifactor Authentication.\nUS-CERT                     A partnership between the Department of Homeland Security and\n                            the public and private sectors established to protect the Nation\xe2\x80\x99s\n                            Internet infrastructure. US-CERT coordinates defense against and\n                            responses to cyberattacks across the Nation.\n\n\n\n\n                                                                                         Page 36\n\x0c                 Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n              Information Security Management Act Report for Fiscal Year 2012\n\n\n\n\nTerm                         Definition\nVirtual Environment          The physical system running a host operating system and\n                             hypervisor (i.e., software that allows a single host to run one or\n                             more guest operating systems).\nVulnerability Scanning       Scanning for specific functions, ports, protocols, and services that\n(i.e., Software Assessing)   should not be accessible to users or devices and for improperly\n                             configured or incorrectly operating information flow mechanisms.\nZero-Day Vulnerability       An exploit that takes advantage of a security vulnerability on the\n                             same day that the vulnerability becomes generally known. There\n                             are zero days between the time the vulnerability is discovered and\n                             the first attack. Given time, the software company can fix the code\n                             and distribute a patch or software update.\n\n\n\n\n                                                                                           Page 37\n\x0c'